New stealthy malware designed to seek out weak Redis servers on-line has contaminated over a thousand of them since September 2021 to construct a botnet that mines for Monero cryptocurrency.
Found by Aqua Safety researchers Nitzan Yaakov and Asaf Eitani, who dubbed it HeadCrab, the malware has thus far ensnared not less than 1,200 such servers, that are additionally used to scan for extra targets on-line.
“This superior risk actor makes use of a state-of-the-art, custom-made malware that’s undetectable by agentless and conventional anti-virus options to compromise a lot of Redis servers,” the researchers said.
“We found not solely the HeadCrab malware but additionally a singular technique to detect its infections in Redis servers. Our technique discovered roughly 1,200 actively contaminated servers when utilized to uncovered servers within the wild.”
The risk actors behind this botnet reap the benefits of the truth that Redis servers do not have authentication enabled by default, as they’re designed for use inside a company’s community and should not be uncovered to Web entry.
If admins do not safe them and by accident (or deliberately) configure them to be accessible from exterior their native community, attackers can simply compromise and hijack them utilizing malicious instruments or malware.
As soon as they acquire entry to servers that do not require authentication, the malicious actors situation a ‘SLAVEOF’ command to synchronize a grasp server below their management to deploy the HeadCrab malware onto the newly hijacked system.
After being put in and launched, HeadCrab supplies the attackers with all of the capabilities required to take full management of the focused server and add it to their cryptomining botnet.
It’s going to additionally run in reminiscence on compromised units to bypass anti-malware scans, and samples analyzed by Aqua Safety have shown no detections on VirusTotal.
It additionally deletes all logs and solely communicates to different servers managed by its masters to evade detection.
“The attacker communicates with reputable IP addresses, primarily different contaminated servers, to evade detection and scale back the chance of being blacklisted by safety options,” the researchers added.
“The malware is based totally on Redis processes that are unlikely to be flagged as malicious. Payloads are loaded by way of memfd, memory-only information, and kernel modules are loaded instantly from reminiscence, avoiding disk writes.”
Whereas analyzing the malware, in addition they discovered that the attackers primarily use mining swimming pools hosted on beforehand compromised servers to complicate attribution and detection.
Moreover, the Monero pockets linked to this botnet confirmed that the attackers are raking in an estimated annual revenue of round $4,500 per employee, rather a lot larger than the standard $200/employee comparable operations make.
To defend their Redis servers, admins are suggested to make sure that solely shoppers inside their networks can entry them, to disable the “slaveof” function if it is unused, and allow protected mode, which configures the occasion to solely reply to the loopback handle and refuse connections from different IP addresses.