HeadCrab 2.0 Goes Fileless, Targeting Redis Servers for Crypto Mining

Omega Balla
Cybersecurity researchers have detailed an updated version of the malware HeadCrab that’s known to target Redis database servers across the world since early September 2021. The development, which comes exactly a year after the malware was first publicly disclosed by Aqua, is a sign that the financially-motivated threat actor behind the campaign is actively adapting and

Cybersecurity researchers have detailed an updated version of the malware HeadCrab that’s known to target Redis database servers across the world since early September 2021.

The development, which comes exactly a year after the malware was first publicly disclosed by Aqua, is a sign that the financially-motivated threat actor behind the campaign is actively adapting and refining their tactics and techniques to stay ahead of the detection curve.

The cloud security firm said that “the campaign has almost doubled the number of infected Redis servers,” with an additional 1,100 compromised servers, up from 1,200 reported at the start of 2023.

HeadCrab is designed to infiltrate internet-exposed Redis servers and wrangle them into a botnet for illicitly mining cryptocurrency, while also leveraging the access in a manner that allows the threat actor to execute shell commands, load fileless kernel modules, and exfiltrate data to a remote server.

While the origins of the threat actor are presently not known, they make it a point to note in a “mini blog” embedded into the malware that the mining activity is “legal in my country” and that they do it because “it almost doesn’t harm human life and feelings (if done right).”

The operator, however, acknowledges that it’s a “parasitic and inefficient way” of making money, adding their aim is to make $15,000 per year.

“An integral aspect of the sophistication of HeadCrab 2.0 lies in its advanced evasion techniques,” Aqua researchers Asaf Eitani and Nitzan Yaakov said. “In contrast to its predecessor (named HeadCrab 1.0), this new version employs a fileless loader mechanism, demonstrating the attacker’s commitment to stealth and persistence.”

It’s worth noting that the previous iteration utilized the SLAVEOF command to download and save the HeadCrab malware file to disk, thereby leaving artifact traces on the file system.

HeadCrab 2.0, on the other hand, receives the malware’s content over the Redis communication channel and stores it in a fileless location in a bid to minimize the forensic trail and make it much more challenging to detect.

Also changed in the new variant is the use of the Redis MGET command for command-and-control (C2) communications for added covertness.

“By hooking into this standard command, the malware gains the ability to control it during specific attacker-initiated requests,” the researchers said.

“Those requests are achieved by sending a special string as an argument to the MGET command. When this specific string is detected, the malware recognizes the command as originating from the attacker, triggering the malicious C2 communication.”

Describing HeadCrab 2.0 as an escalation in the sophistication of Redis malware, Aqua said its ability to masquerade its malicious activities under the guise of legitimate commands poses new problems for detection.

“This evolution underscores the necessity for continuous research and development in security tools and practices,” the researchers concluded. “The engagement by the attacker and the subsequent evolution of the malware highlights the critical need for vigilant monitoring and intelligence gathering.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

RunC Flaws Enable Container Escapes, Granting Attackers Host Access

Next Post

Why the Right Metrics Matter When it Comes to Vulnerability Management

Related Posts

Will super chips disrupt the ‘everything to the cloud’ IT mentality?

Enterprise IT for the last couple of years has grown disappointed in the economics — not to mention the cybersecurity and compliance impact — of corporate clouds. In general, with a few exceptions, enterprises have done little about it; most saw the scalability and efficiencies too seductive.Might that change in 2024 and 2025? Apple has begun talking about efforts to add higher-end compute capabilities to its chip, following similar efforts from Intel and NVIDIA. Although those new capabilities are aimed at enabling more large language model (LLM) capabilities on-device, anything that can deliver that level of data-crunching and analytics can also handle almost every other enterprise IT task. To read this article in full, please click here
Avatar
Read More

The most significant number from Samsung’s Galaxy S24 announcement

My goodness, there's a lot to be said about Samsung's newly announced Galaxy S24 family of flagship Android devices.Aaaaand, spoiler alert: We won't be saying most of those things here, in this column, today.Now, don't get me wrong: Samsung's latest and greatest Galaxy models have tons of good stuff going for 'em. From the eye-catching hardware to the specs to end all specs, Samsung rarely holds back with its top-of-the-line Android offerings. And this year's devices appear to be no exception.To read this article in full, please click here
Avatar
Read More