A new, highly stealthy malware called HeadCrab has been infecting Redis servers online and building a botnet to mine Monero cryptocurrency. Th HeadCrabe malware has been successful in compromising over 1,200 Redis servers, which it uses to search for more targets. The sophisticated threat actors behind HeadCrab have developed custom-made malware that is highly advanced and not easily detected by traditional anti-malware solutions or agentless systems. Details about the HeadCrab malware and the threatening operations were released in a report by infosec researchers.
Infection Vector Exploited by HeadCrab Malware
The attackers behind this botnet exploit a vulnerability in Redis servers, which is designed for internal use within an organization's network and lack authentication by default. If administrators fail to properly secure their servers and make them accessible from the Internet, either accidentally or intentionally, the attackers can easily gain control by using threatening tools or malware. Once they have access to these unauthenticated servers, the attackers issue a "SLAVEOF" command to synchronize the server with a master server under their control, allowing them to deploy the HeadCrab malware onto the newly hijacked system.
HeadCrab Malware's Harmful Capabilities
Once installed and activated, HeadCrab gives the attackers a full range of abilities necessary to take over the targeted server and incorporate it into their crypto-mining botnet. It operates in the memory of compromised devices to dodge anti-malware scans. The HeadCrab malware eliminates all logs and only communicates with other servers controlled by its operators to escape detection.
The attackers communicate with authentic IP addresses, primarily their other contaminated servers, to elude detection and minimize the risk of being blocked by security solutions. In addition, the HeadCrab Malware is mostly based on Redis processes. These processes are not likely to be considered threatening or suspicious. The payloads are loaded through 'memfd,' memory-only files, while kernel modules are loaded directly from memory as a way to avoid disk writes.
Analysis of the Monero crypto-wallet address associated with the HeadCrab Malware campaign has revealed that the attackers are raking in an approximate annual profit of $4,500 per worker. If the estimations are correct, it shows a drastic increase over the typical $200 per worker observed in other of these operations' types.