Say it again

New stealth malware designed to hunt down vulnerable Redis servers online has infected more than a thousand since September 2021 to create a botnet that mines the Monero cryptocurrency.

Discovered by Aqua Security researchers Nitzan Yaakov and Asaf Eitani, who dubbed it HeadCrab, the malware has so far trapped at least 1,200 such servers, which are also used to search for other targets. online.

“This advanced threat actor uses cutting-edge, bespoke malware that is undetectable by agentless and traditional antivirus solutions to compromise large numbers of Redis servers,” the researchers said. said.

“We discovered not only the HeadCrab malware, but also a unique method to detect its infections in Redis servers. Our method found approximately 1,200 actively infected servers when applied to exposed servers in the wild.”

The threat actors behind this botnet are taking advantage of the fact that Redis servers do not have authentication enabled by default, as they are designed to be used within an organization’s network and should not be exposed to access. Internet.

If administrators fail to secure them and accidentally (or intentionally) configure them to be accessible from outside their local network, attackers can easily compromise and hijack them using malicious tools or software. malicious.

Once they gain access to servers that do not require authentication, malicious actors issue a “SLAVEOF” command to synchronize a master server under their control to deploy the HeadCrab malware to the newly hacked system.

HeadCrab Malware
HeadCrab Malware (Aqua Security)

After being installed and launched, HeadCrab provides attackers with all the necessary capabilities to take complete control of the targeted server and add it to their cryptomining botnet.

It will also work in memory on compromised devices to bypass anti-malware scans and samples scanned by Aqua Security showed no detection on VirusTotal.

It also deletes all logs and only communicates with other servers controlled by its masters to evade detection.

“The attacker communicates with legitimate IP addresses, primarily other infected servers, to evade detection and reduce the likelihood of being blacklisted by security solutions,” the researchers added.

“Malware is mostly based on Redis processes which are unlikely to be flagged as malicious. Payloads are loaded via memfd, in-memory-only files, and kernel modules are loaded directly from memory, thus avoiding disk writes.”

While analyzing the malware, they also discovered that the attackers primarily used mining pools hosted on previously compromised servers to complicate attribution and detection.

Additionally, the Monero wallet linked to this botnet showed that attackers reap an estimated annual profit of around $4,500 per worker, well above the typical $200/worker that similar operations fetch.

To defend their Redis servers, administrators are advised to ensure that only clients on their networks can access them, to disable the “slaveof” feature if not in use, and to enable protected mode, which configures instance to only respond to the loopback address and refuse connections from other IP addresses.


Source link