A New HeadCrab Malware is Exploiting Redis Servers for Crypto-Mining

Aqua Researchers detailed a new campaign targeting internet-exposed Redis servers and exploiting them for crypto-mining.

Threat actors here are using a new malware named HeadCrab – that can install and process it’s operations in the memory of a compromised system. This avoids detection by security solutions and helps the malware stay longer in the system.

HeadCrab Malware Analysis Against Redis Servers

Two researchers from Aqua Security – Nitzan Yaakov and Asaf Eitani have discovered a new malware called HeadCrab – that’s targeting vulnerable Redis servers in the wild. Detailing this campaign, the researchers said that threat actors have compromised over 1,200 internet-exposed Redis servers to date since September 2021.

Knowing that Redis servers don’t have an authentication block by default, threat actors here are scanning the internet for exposed servers to inject their malicious malware. Once found, they’ll remotely enable the ‘SLAVEOF‘ command in compromised servers to bring them under their control.

Forming all such compromised Redis servers as a botnet, threat actors use them for crypto-mining – especially for minting Monero. Researchers were astonished by the fact that each worker in this campaign is earning around $4,500 per year via crypto-mining, while their counterparts in other similar operations earn a mere $200/per year.

They’re said to be sophisticated since the malware is a custom-made one, with capabilities of installing and running directly from the system memory of a compromised server.

Also, it deletes all the logs and only communicates to the threat actor’s C2 for commands – and these would mostly be other Redis servers on the network since they, too, have been compromised as a botnet operation. This, too, avoids detection by security solutions since they assume the traffic between two servers is unsuspecting.

Redis server admins are advised to close their ports for only clients within the networks to access them and disable the “slaveof” feature if it’s unused. Also, enabling the protected mode is recommended – that lets the servers respond only to loopback addresses and refuse connections from other IP addresses.

Other Trending News:-  News


Please enter your comment!
Please enter your name here