Cyber security researchers have detailed an updated version of the malware HeadCrab which is known to target Redis database servers worldwide since early September 2021.
The development, which comes exactly one year after the malware was first made public by Aqua, is a sign that the financially motivated threat actor behind the campaign is actively adapting and refining their tactics and techniques to keep up with the tracking curve.
The cloud security firm said “the campaign nearly doubled the number of infected Redis servers,” with an additional 1,100 servers compromised, up from 1,200 reported in early 2023.
HeadCrab is designed to infiltrate Internet-exposed Redis servers and embed them into a botnet to illegally mine cryptocurrency, while also leveraging access to allow the threat actor to execute shell commands, load fileless kernel modules, and exfiltrate data on a remote server. server.
While the origins of the threat actor are not currently known, it is important to note in a “mini blog” embedded in the malware that the mining activity is “legal in my country” and that they do it because it “almost doesn’t work.” do not harm human life and feelings (if done well).”
The operator, however, acknowledges that it is a “parasitic and inefficient way” to make money, adding that their goal is to earn $15,000 a year.
“An integral aspect of HeadCrab 2.0’s sophistication lies in its advanced evasion techniques,” said Aqua researchers Asaf Eitani and Nitzan Yaakov. “Unlike its predecessor (called HeadCrab 1.0), this new version uses a fileless loading mechanism, demonstrating the attacker’s commitment to stealth and persistence.”
It is worth noting that the previous iteration used the SLAVEOF command to download and save the HeadCrab malware file to disk, thus leaving traces of artifacts in the file system.
HeadCrab 2.0, on the other hand, receives the malware content over the Redis communication channel and stores it in a fileless location in an effort to minimize forensic traces and make it much harder to detect.
The use of the Redis MGET command for command and control (C2) communications has also been modified in the new variant for greater secrecy.
“By hooking into this standard command, the malware gains the ability to control it during specific attacker-initiated requests,” the researchers said.
“Such requests are achieved by sending a special string as an argument to the MGET command. When this specific string is detected, the malware recognizes the command as coming from the attacker, triggering malicious C2 communication.”
Describing HeadCrab 2.0 as an escalation in the sophistication of Redis malware, Aqua said its ability to disguise its malicious activities in the guise of legitimate commands poses new detection problems.
“This evolution highlights the need for continued research and development of security tools and practices,” the researchers concluded. “The attacker’s intervention and subsequent evolution of the malware highlights the critical need for vigilant monitoring and intelligence gathering.”