Researchers have spotted a threat actors quietly mining Monero cryptocurrency on open source Redis servers, using a custom-made malware variant called “HeadCrab” that is virtually undetectable by agentless and conventional antivirus tools.
HeadCrab is described as a memory-resident malware affects the Internet-connected Redis servers. Many of these servers don’t have authentication enabled by default because they are meant to run on secure, closed networks. Nearly 1200 servers has been compromised till now.
HeadCrab takes advantage on Redis server functionality. The process of working on a Master and Slave concept where it synchronise and replicate the data across the cluster.Slave servers synchronize with the master server and perform a variety of actions, including downloading any modules that might be present on the master server. Redis modules are executable files that administrators can use to enhance the functionality of a Redis server.
The threat actor, used the legitimate SLAVEOF Redis command to designate the honeypot as the slave of an attacker-controlled master Redis server. The master server then initiated a synchronization process in which the threat actor downloaded a malicious Redis module containing the HeadCrab malware.
The malware’s uses Redis API to communicate with an attacker controlled C2 hosted on what appeared to be a legitimate but compromised server.
HeadCrab implements sophisticated obfuscation features to remain hidden on compromised systems, executes more than 50 actions in a completely fileless fashion, and uses a dynamic loader to execute binaries and evade detection.
HeadCrab’s also having ability to steal SSH keys to infiltrate other servers and potentially steal data and also its ability to load a fileless kernel module to completely compromise a server’s kernel.
HeadCrab is the second Redis-targeted malware that got reported in recent months. In December, researchers discovered Redigo, a Redis backdoor written in the Go language.
Shodan search showed more than 42,000 Redis servers connected to the Internet. Around 20000 servers allows some sort of access that can be served as a potential infection vector to exploit
There are no signs that Redis Enterprise software or Redis Cloud services have been impacted by the HeadCrab attacks.
It is recommended to harden the configuration of Redis servers. Redis users need to follow the security guidance and best practices published within our open source and commercial documentation.
This research was documented by researchers from Aqua
Indications Of Compromise (IOCs)
Monero wallet ID
HeadCrab malware MD5
Redis master IP address
Reverse shell IP addresses
Mining pool IP addresses
188.8.131.52 – Monero pool
184.108.40.206 – Hijacked IP serves as a mining pool