New stealthy malware designed to search out susceptible Redis servers on-line has contaminated over a thousand of them since September 2021 to construct a botnet that mines for Monero cryptocurrency.
Discovered by Aqua Security researchers Nitzan Yaakov and Asaf Eitani, who dubbed it HeadCrab, the malware has up to now ensnared at the very least 1,200 such servers, that are additionally used to scan for extra targets on-line.
“This superior menace actor makes use of a state-of-the-art, custom-made malware that’s undetectable by agentless and conventional anti-virus options to compromise numerous Redis servers,” the researchers stated.
“We found not solely the HeadCrab malware but additionally a novel methodology to detect its infections in Redis servers. Our methodology discovered roughly 1,200 actively contaminated servers when utilized to uncovered servers within the wild.”
The menace actors behind this botnet reap the benefits of the truth that Redis servers haven’t got authentication enabled by default, as they’re designed for use inside a corporation’s community and should not be uncovered to Internet entry.
If admins do not safe them and by chance (or deliberately) configure them to be accessible from outdoors their native community, attackers can simply compromise and hijack them utilizing malicious instruments or malware.
Once they achieve entry to servers that do not require authentication, the malicious actors concern a ‘SLAVEOF’ command to synchronize a grasp server underneath their management to deploy the HeadCrab malware onto the newly hijacked system.
After being put in and launched, HeadCrab gives the attackers with all of the capabilities required to take full management of the focused server and add it to their cryptomining botnet.
It may even run in reminiscence on compromised gadgets to bypass anti-malware scans, and samples analyzed by Aqua Security have proven no detections on VirusTotal.
It additionally deletes all logs and solely communicates to different servers managed by its masters to evade detection.
“The attacker communicates with authentic IP addresses, primarily different contaminated servers, to evade detection and scale back the probability of being blacklisted by safety options,” the researchers added.
“The malware is based on Redis processes that are unlikely to be flagged as malicious. Payloads are loaded via memfd, memory-only information, and kernel modules are loaded straight from reminiscence, avoiding disk writes.”
While analyzing the malware, additionally they discovered that the attackers primarily use mining swimming pools hosted on beforehand compromised servers to complicate attribution and detection.
Furthermore, the Monero pockets linked to this botnet confirmed that the attackers are raking in an estimated annual revenue of round $4,500 per employee, quite a bit increased than the same old $200/employee comparable operations make.
To defend their Redis servers, admins are suggested to make sure that solely shoppers inside their networks can entry them, to disable the “slaveof” function if it is unused, and allow protected mode, which configures the occasion to solely reply to the loopback handle and refuse connections from different IP addresses.