Researchers at Aqua Security detected a sophisticated campaign led by HeadCrab threat actors, who’re targeting internet-exposed Redis servers to hijack and add them to their botnet.
This, in turn, is used for crypto-mining purposes, specifically the Monero coin. Researchers note malware is custom designed to inject its payload in memory, so to avoid detection by security solutions. Redis server managers are advised to close ports and apply access restrictions to be safe.
Exploiting Redis Servers for Crypto-Mining
Nitzan Yaakov and Asaf Eitani from Aqua Security have detailed a botnet campaign – where a threat actor is distributing a new malware called HeadCrab against Redis servers. In this report, the researchers noted the campaign has been underway since September 2021 and now has over 1,200 vulnerable Redis servers infected!
The hackers are leveraging the fact that Redis servers don’t come with a default authentication – since they’re designed to be used within an organization’s network and shouldn’t be exposed to the internet without a significant purpose.
But there are times when admins expose them accidentally or make improper configurations – leading threat actors to exploit them for their use. The same happens in this case, as threat actors leveraging the exposed Redis servers trigger the ‘SLAVEOF‘ command and control them remotely.
This function also allows them to install HeadCrab – a relatively new malware that installs in the system memory of compromised servers. It deletes all logs and only communicates with servers controlled by hackers. And since these are the other Redis servers in the network, security solutions often don’t flag them.
Further, researchers noted the payload of this operation being installed in memory-only files, thus avoiding being blacklisted by antivirus software. All these compromised servers are then joined into a botnet for crypto-mining: especially Monero.
Researchers noted the Monero wallet linked to this botnet operation showed each worker earning $4,500 as annual profit – simply astonishing when compared to usual earnings of $200/worker in similar operations.
