Over 1,200 Redis Database Servers Compromised Using Custom State-of-the-Art Malware

A rapidly spreading malware, named “HeadCrab” by researchers at Aqua Security, has targeted vulnerable Redis servers on networks since September 2021.  The threat actor has been mining Monero cryptocurrency on open source Redis servers worldwide for years using a custom-made malware variant, “HeadCrab”, that is virtually undetectable by conventional antivirus tools. The malware operates in a stealthy manner, infiltrating over thousands of servers at least 1,200 Redis servers used by mostly smaller organizations as a database or cache. With the use of state-of-the-art technology, the sophisticated group behind the malware has bypassed traditional security measures, making it advanced and capable of evading detection, exploiting vulnerabilities, and compromising a significant number of Redis servers.

 

Researchers from Aqua Nautilus discovered the campaign when it hit one of their honeypots. HeadCrab is a sophisticated, memory-resident malware that presents an ongoing threat to internet-connected Redis servers.

 

Malware Attack Flow

The HeadCrab malware is able to spread rapidly due to the lack of authentication on Redis servers. Attackers exploit this vulnerability to gain access and propagate their botnet. Many of these servers don’t have authentication enabled, making them vulnerable to exploitation. The malware exploits the process of replicating and synchronizing data in a Redis Cluster by designating a server as a “slave” to another “master” server within the cluster. This allows the malware to download a malicious Redis module containing the HeadCrab malware. The malware heavily relies on the Redis Modules API to communicate with its operator and is specifically built for Redis servers. It implements sophisticated obfuscation features to remain hidden, executes over 50 actions in a completely fileless fashion, and uses a dynamic loader to evade detection. The threat actor is modifying the normal behavior of the Redis service to avoid detection.

 

Administrators must be vigilant in securing their local network to prevent unauthorized access. The HeadCrab malware is installed after the system is hijacked, giving the threat actors complete control of the targeted server. The malware is designed to mine cryptocurrency and execute shell commands, as well as transmit data and load file-less kernel modules. To evade detection, the malware deletes log files and only communicates with servers under its control. The attackers seem to be specifically targeting Redis servers due to their knowledge of the Redis modules and APIs.

 

Annual Profit & Redis Commands

It has been determined that the Monero wallet linked to this botnet generated an annual profit of approximately $4,500 as a result of the attackers’ activities.

Profit margins like this are much higher than what is usually earned by similar operations, which make $200/worker on average.

Here below we have mentioned all the Redis commands that are utilizingd to operate the malware by the threat actor:-

• rdsa
• rdss
• rdsp
• rdsi
• rdsm
• rdsc
• rdsr
• rdsx

Whether it’s running on a virtual machine or in a container, the HeadCrab malware is designed to stealthily attack on Redis servers.

 

Mitigation

To strengthen security and reduce the security risks associated with Redis servers, it’s recommended to:

 

• Limit access to Redis only to trusted clients.
• Enable protected mode for added security.
• Use the “bind” parameter to restrict communication to known hosts.
• Disable the “slave of” feature if it is not in use.
• Verify the integrity of the software supply chain.
• Empower your DevOps, developers, and security teams to identify vulnerabilities using vulnerability and misconfiguration scanning tools.