Newly discovered malware has been found in the wild exploiting vulnerable Redis servers to build a botnet that mines Monero cryptocurrency. The malware, dubbed HeadCrab, has been around since September 2021 and has infected thousands of Redis servers since then.
Redis is an in-memory data structure store that can be used as a database or cache. By default, Redis servers do not have authentication enabled, and therefore are meant to run on a secure network and not exposed to the Internet. The threat actors behind HeadCrab take advantage of this default configuration against servers that were inadvertently or unintentionally exposed to the Internet. Once the threat actor gains access to the Redis server, they run a “SLAVEOF” command, which forces a synchronization between the infected Redis server and the threat actor’s master server. The master server then deploys the HeadCrab malware in the form of a Redis module, which allows the threat actors to completely compromise the infected Redis server. From there, the cryptocurrency miner binary is loaded in-memory on the infected server and configured to mine Monero from a private pool.
The threat actors behind HeadCrab configured the malware to delete logs on the infected system and only communicate with infected systems from other infected systems in an attempt to evade detection. By using legitimate but infected IP addresses for communications, it also reduces the likelihood of being blacklisted by security controls.
Analyst Notes
Since Redis was designed to be accessed from within trusted environments by trusted clients, it is generally not recommended to expose any servers to the Internet. Since Redis does not use authentication by default, exposing a server to the Internet would allow anyone to freely access it and use it for any purpose they desire. Since version 3.2.0, Redis will, by default, enter a protected mode if it is configured as bound to all interfaces on the server. This protected mode will make it so that Redis only replies to queries from the loopback interfaces, thus preventing external parties from communicating with it. As this feature can be disabled by admins, it is highly recommended to keep this feature enabled on all Redis servers. This would help prevent any Redis servers that were accidentally exposed to the Internet from being compromised from an external entity. Finally, if the “SLAVEOF” feature is not being actively used in the Redis environment, it is recommended to disable it completely. This would help prevent more serious attacks from occurring, as a threat actor who accesses a Redis server would not be able to completely compromise it by syncing it with their own server.
https://www.bleepingcomputer.com/news/security/new-headcrab-malware-infects-1-200-redis-servers-to-mine-monero/
https://blog.aquasec.com/headcrab-attacks-servers-worldwide-with-novel-state-of-art-redis-malware
