A new type of malware, designed to target vulnerable Redis servers on the internet, has been spreading rapidly since September 2021.
This is a quick-spreading malware, designed to operate stealthily, that has already infiltrated over thousand servers, forming a botnet network that has been utilized to mine Monero.
Nitzan Yaakov and Asaf Eitani, researchers at Aqua Security, discovered this malware a while ago and dubbed it HeadCrab. A total of 1,200 such servers have been infected with the malware, which is also utilized to scan the internet for additional targets.
This sophisticated group has circumvented traditional security measures by creating highly specialized custom malware by utilizing state-of-the-art.
This made the stealthy malware more advanced which effectively evades detection, exploits, and takes control of a significant number of Redis servers that are vulnerable.
There is no authentication enabled by default on Redis servers, so the threat actors behind this botnet exploit this fact to propagate their botnet.
Typically these botnets are designed to operate inside an organization’s network, which means that Internet access should not be allowed to the devices.
It is likely that attackers will be able to compromise them using malicious tools or malware if administrators do not secure them properly. In summary, administrators must be extremely careful while configuring the local network and ensure that it cannot be accessed from outside their network.
After gaining access to a server that doesn’t require authentication, the malicious actors will issue a command entitled ‘SLAVEOF’.
Upon gaining access to a server of their choice under their control, they would be able to synchronize their master server. Once the system has been hijacked, the HeadCrab malware will be able to be installed on it.
HeadCrab empowers threat actors with all the abilities that they need to completely take control of a targeted server and add it to their cryptomining botnet. While this is done as soon as it has been installed and launched.
It appears that the threat actors have been focused on Redis servers since they are well-skilled in the Redis modules and APIs that have been designed for those servers.
Memory-resident malware is intended with the ultimate goal of hijacking the system resources for cryptocurrency mining in the event that it is used. Besides executing shell commands, it can transmit data to remote servers and also load fileless kernel modules.
To avoid detection, it also deletes all log files and communicates only with other servers that belong to its masters.
It has been determined that the Monero wallet linked to this botnet generated an annual profit of approximately $4,500 as a result of the attackers’ activities.
Profit margins like this are much higher than what is usually earned by similar operations, which make $200/worker on average.
Here below we have mentioned all the Redis commands that are used to operate the malware by the threat actor:-
Whether it’s running on a virtual machine or in a container, the HeadCrab malware is designed to stealthily attack on Redis servers.
Taking steps to mitigate the security risks associated with Redis servers and ensuring the Redis configuration is aligned with the best practices of security will enable you to harden the environment at the same time.
Network Security Checklist – Download Free E-Book
WhatsApp has announced the rollout of a new feature to safeguard sensitive conversations. The Secret…
In a resounding triumph for justice, U.S. District Judge Kathryn Kimball Mizelle has sentenced Vitalii…
Hackers are plotting to benefit from the generosity of Halloween, Thanksgiving, and Christmas shoppers using…
The LLMs (Large Language Models) are evolving rapidly with continuous advancements in their research and…
In the dynamic realm of mobile application security, cybercriminals employ ever more sophisticated forms of…
A recent campaign has been observed to be delivering DJvu ransomware through a loader that…