A malware identified has “HeadCrab” is getting used to mine cryptocurrency by way of Redis servers, and roughly 1,200 servers have been taken over, in keeping with analysis revealed Wednesday by cloud safety vendor Aqua Safety.
Redis is a well-liked open supply database management system (DBMS) first launched in 2009. Aqua’s analysis blog post, co-written by safety researcher Asaf Eitani and safety knowledge analyst Nitzan Yaakov, famous that as a result of Redis is supposed to function on a safe and closed community, the DBMS doesn’t include authentication enabled by default. As such, Eitani and Yaakov wrote, Redis cases have more and more been focused by risk actors lately.
Aqua Safety’s weblog put up focuses on HeadCrab, a botnet malware first found in September 2021 that has, up to now, compromised a minimum of 1,200 servers. The put up accommodates important technical particulars for HeadCrab, which Eitani and Yaakov describe as “refined, long-developed malware” that may evade conventional antivirus merchandise.
“We have now seen that the attacker has gone to nice lengths to make sure the stealth of their assault,” the authors wrote. “The malware has been designed to bypass volume-based scans because it runs solely in reminiscence and isn’t saved on disk. Moreover, logs are deleted utilizing the Redis module framework and API. The attacker communicates with respectable IP addresses, primarily different contaminated servers, to evade detection and scale back the chance of being blacklisted by safety options.”
The attacker makes use of the “REPLICAOF” command to make the sufferer’s server a reproduction of one other server managed by the risk actor. The risk actor makes use of the malware to then create new Redis instructions, enabling additional management, and cargo malicious Redis modules onto the server.
Aqua Safety found the malware as a result of one in every of their honeypots was attacked. The attacker left a textual content observe addressed to Aqua Safety inside the malware wherein the attacker addressed themselves as HeadCrab — therefore the malware title. The attacker stated they had been offering “unconditional primary revenue to [people] with some disadvantages.”
The HeadCrab botnet is primarily used for malicious cryptocurrency mining.
“The miner configuration file was extracted from reminiscence and confirmed that the mining swimming pools had been largely hosted on personal respectable IP addresses,” the put up learn. “Inspection of those IP addresses revealed that they belong to both clear hosts or a number one safety firm, making detection and attribution tougher. One public Monero pool service was discovered within the configuration file however wasn’t utilized by the miner in runtime. The attacker’s Monero pockets confirmed an annual anticipated revenue of virtually $4,500 USD per employee, a lot increased than the everyday $200 USD per employee.”
The weblog put up contained a map of compromised Redis cases, the vast majority of which look like within the Asia Pacific area, the U.S. and Western Europe.
Aqua Safety made a number of suggestions in its put up, akin to guaranteeing Redis cases have configurations aligned with safety finest practices and initiating incident response ought to there be proof of server compromise.
Neither Redis nor Aqua Safety have responded to TechTarget Editorial’s request for remark at press time.
Alexander Culafi is a author, journalist and podcaster primarily based in Boston.