Newly discovered malware has been found in the wild exploiting vulnerable Redis servers to build a botnet that mines Monero cryptocurrency. The malware, dubbed HeadCrab, has been around since September 2021 and has infected thousands of Redis servers since then.
Redis is an in-memory data structure store that can be used as a database or cache. By default, Redis servers do not have authentication enabled, and therefore are meant to run on a secure network and not exposed to the Internet. The threat actors behind HeadCrab take advantage of this default configuration against servers that were inadvertently or unintentionally exposed to the Internet. Once the threat actor gains access to the Redis server, they run a “SLAVEOF” command, which forces a synchronization between the infected Redis server and the threat actor’s master server. The master server then deploys the HeadCrab malware in the form of a Redis module, which allows the threat actors to completely compromise the infected Redis server. From there, the cryptocurrency miner binary is loaded in-memory on the infected server and configured to mine Monero from a private pool.
The threat actors behind HeadCrab configured the malware to delete logs on the infected system and only communicate with infected systems from other infected systems in an attempt to evade detection. By using legitimate but infected IP addresses for communications, it also reduces the likelihood of being blacklisted by security controls.