New stealthy malware designed to hunt down vulnerable Redis servers online has infected over a thousand of them since September 2021 to build a botnet that mines for Monero cryptocurrency.
Discovered by Aqua Security researchers Nitzan Yaakov and Asaf Eitani, who dubbed it HeadCrab, the malware has so far ensnared at least 1,200 such servers, which are also used to scan for more targets online.
"This advanced threat actor utilizes a state-of-the-art, custom-made malware that is undetectable by agentless and traditional anti-virus solutions to compromise a large number of Redis servers," the researchers said.
"We discovered not only the HeadCrab malware but also a unique method to detect its infections in Redis servers. Our method found approximately 1,200 actively infected servers when applied to exposed servers in the wild."
The threat actors behind this botnet take advantage of the fact that Redis servers don't have authentication enabled by default, as they are designed to be used within an organization's network and shouldn't be exposed to Internet access.
If admins don't secure them and accidentally (or intentionally) configure them to be accessible from outside their local network, attackers can easily compromise and hijack them using malicious tools or malware.
Once they gain access to servers that don't require authentication, the malicious actors issue a 'SLAVEOF' command to synchronize a master server under their control to deploy the HeadCrab malware onto the newly hijacked system.
After being installed and launched, HeadCrab provides the attackers with all the capabilities required to take complete control of the targeted server and add it to their cryptomining botnet.
It will also run in memory on compromised devices to bypass anti-malware scans, and samples analyzed by Aqua Security have shown no detections on VirusTotal.
It also deletes all logs and only communicates to other servers controlled by its masters to evade detection.
"The attacker communicates with legitimate IP addresses, primarily other infected servers, to evade detection and reduce the likelihood of being blacklisted by security solutions," the researchers added.
"The malware is primarily based on Redis processes which are unlikely to be flagged as malicious. Payloads are loaded through memfd, memory-only files, and kernel modules are loaded directly from memory, avoiding disk writes."
While analyzing the malware, they also found that the attackers mainly use mining pools hosted on previously compromised servers to complicate attribution and detection.
Furthermore, the Monero wallet linked to this botnet showed that the attackers are raking in an estimated annual profit of around $4,500 per worker, a lot higher than the usual $200/worker similar operations make.
To defend their Redis servers, admins are advised to ensure that only clients within their networks can access them, to disable the "slaveof" feature if it's unused, and enable protected mode, which configures the instance to only respond to the loopback address and refuse connections from other IP addresses.
Update February 03, 10:27 EST: A Redis spokesperson sent the following statement after the article was published:
Redis is very supportive of the cybersecurity research community, and we want to recognize AquaSec for getting this report out to benefit the Redis community. Their report shows the potential dangers of mis-configuring Redis. We encourage all Redis users to follow the security guidance and best practices published within our open source and commercial documentation. We also offer a free security course, as part of Redis University, which covers both our open source and commercial offerings.
We should note that there are no signs that Redis Enterprise software or Redis Cloud services have been impacted by these attacks.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now