Since September 2021, over a thousand vulnerable Redis servers online have been infected by a stealthy malware dubbed “HeadCrab”, designed to build a botnet that mines Monero cryptocurrency.
New HeadCrab Malware ?
Redis servers can be set up in clusters, which allows for data to be divided and stored on multiple servers. The structure uses a master server and slave servers for data replication and synchronization, where the Slaveof command is used to designate slave servers.
The purpose of the campaign was to ensnare internet-exposed Redis servers into a botnet for cryptocurrency mining. Aqua identified roughly 1,200 infected servers and estimates that the attackers made an annual profit of almost $4,500 per worker, based on the identified Monero wallet.
When using HeadCrab malware on these Redis servers, threat actors rely on them not enabling authentication by default. Once threat actors gain access to Redis servers, they issue a “slaveof” command to connect to an attacker-controlled master server and install the HeadCrab malware on the infected system.
Additionally, it will operate in memory on infected devices to avoid anti-malware scans. Examined samples have returned no results on VirusTotal.
To avoid detection, the attacker communicates with legitimate IP addresses. It also deletes all logs and only communicates with other servers under the control of its masters.
Admins are recommended to secure their Redis servers by limiting access to only clients within their network, turning off the slaveof function if it is not necessary.
To mitigate risks to Redis servers, you’d like to harden the environments by assuring the Redis configuration is aligned with security best practices.
Whenever you’re using Redis in the cloud, it’s better to enable protected mode for enhanced security.
Accept communication from known hosts using the bind parameter
Indications Of Compromise (IOCs)
Monero wallet ID
HeadCrab malware MD5
Redis master IP address
Reverse shell IP addresses
Mining pool IP addresses
126.96.36.199 – Monero pool
188.8.131.52 – Hijacked IP serves as a mining pool