Emerging Malware Breached Global Redis Servers

A new stealthy malware designed to search for vulnerable global Redis servers online has infected over a thousand servers over the last year and a half to build a botnet for mining Monero cryptocurrency. The malware, called HeadCrab, was discovered by threat researchers ensnaring at least 1,200 global servers that are also used to look for more targets online. To infect numerous Redis servers, this threat actor employs cutting-edge, custom-made malware that’s undetectable by agentless and traditional anti-virus solutions. Additionally, the threat researchers discovered a unique method for detecting malware infections in Redis servers. When applied to exposed servers in the wild, the method discovered nearly 1,200 actively infected servers.

Malware Targeting Global Redis Servers

Because Redis servers are designed to be utilized within companies’ networks and not exposed to internet access, the threat actors behind the botnet are using the fact that the servers don’t have authentication enabled by default. If admins fail to secure the servers and by accident (or on purpose) configure them to be accessible from outside their local network, threat operators can easily breach and take over the servers using malicious tools or malware. When the malicious threat actors obtain access to servers not requiring authentication, they issue a “SLAVEOF” command to synchronize master servers under their control to distribute the HeadCrab malware onto the newly breached systems. After being installed and deployed, HeadCrab gives threat operators all the capabilities needed to have complete control of the targeted servers and add it to their crypto-mining botnet. Additionally, it will run in memory on compromised machines to avoid anti-malware scans, and the sample analyzed indicated no detection on VirusTotal.

To avoid detection, it deletes all logs and only talks with servers controlled by its masters. To avoid detection and limit the likelihood of being blacklisted by security solutions, threat operators connect with legitimate IP addresses, mainly other compromised servers. The malware relies heavily on Redis processes, which are unlikely to be detected as malicious. Payloads are loaded using memfd, memory-only files, and kernel modules are directly loaded from memory, eliminating the need for disk writes. The security researchers discovered while analyzing the malware that threat operators mostly employ mining pools hosted on previously compromised servers to make attribution and detection more difficult. Additionally, the Monero wallet linked to the botnet revealed that threat operators are making an estimated annual profit of about $4,500 per worker, which is far greater than the typical $200  per worker made by similar operations.

Admins are advised to disable the “slaveof” feature if it’s not in use ensuring that only clients within their networks can access their Redis servers. Additionally, admins are advised to enable protected mode, which configures the instance to only respond to loopback addresses and refuse connections from IP addresses. With new malware emerging to breach network servers, it’s important for companies to always remain vigilant of the latest threat landscape and follow security guidelines and best practices to prevent future cyberattacks. At SpearTip, our certified engineers at our 24/7/365 Security Operations Center will examine companies’ security posture improving the weak points in their network. Our team will engage with companies’ people, processes, and technology to measure the maturity of the technical environment. SpearTip will provide technical roadmaps for all vulnerabilities we uncover ensuring that companies have the awareness and support to optimize their overall cybersecurity posture.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.