HeadCrab malware targets Redis to mine cryptocurrency

A malware known has “HeadCrab” is being used to mine cryptocurrency via Redis servers, and approximately 1,200 servers have been taken over, according to research published Wednesday by cloud security vendor Aqua Security.

Redis is a popular open source database management system (DBMS) first released in 2009. Aqua’s research blog post, co-written by security researcher Asaf Eitani and security data analyst Nitzan Yaakov, noted that because Redis is meant to operate on a secure and closed network, the DBMS does not come with authentication enabled by default. As such, Eitani and Yaakov wrote, Redis instances have increasingly been targeted by threat actors in recent years.

Aqua Security’s blog post focuses on HeadCrab, a botnet malware first discovered in September 2021 that has, to date, compromised at least 1,200 servers. The post contains significant technical details for HeadCrab, which Eitani and Yaakov describe as “sophisticated, long-developed malware” that can evade traditional antivirus products.

“We have noticed that the attacker has gone to great lengths to ensure the stealth of their attack,” the authors wrote. “The malware has been designed to bypass volume-based scans as it runs solely in memory and is not stored on disk. Additionally, logs are deleted using the Redis module framework and API. The attacker communicates with legitimate IP addresses, primarily other infected servers, to evade detection and reduce the likelihood of being blacklisted by security solutions.”

The attacker uses the “REPLICAOF” command to make the victim’s server a replica of another server controlled by the threat actor. The threat actor uses the malware to then create new Redis commands, enabling further control, and load malicious Redis modules onto the server.

Aqua Security discovered the malware because one of their honeypots was attacked. The attacker left a text note addressed to Aqua Security within the malware in which the attacker addressed themselves as HeadCrab — hence the malware name. The attacker said they were providing “unconditional basic income to [people] with some disadvantages.”

Aqua lead threat analyst Assaf Morag told TechTarget Editorial that the threat actor had no means of connecting the honeypot server to Aqua Security’s threat research department Team Nautilus, and that the actor did not contact Aqua directly. Morag suspects that the actor knew of Aqua Security due to the nature of HeadCrab’s campaign.

“The attacker discussed the transition from a tool that can easily be detected by security solutions to a partially fileless and fully fileless malware,” he said. “I believe he thought we had the highest chance to find such elusive malware because of our eBPF-based technology. And he was right.”

The HeadCrab botnet is primarily used for malicious cryptocurrency mining.

“The miner configuration file was extracted from memory and showed that the mining pools were mostly hosted on private legitimate IP addresses,” the post read. “Inspection of these IP addresses revealed that they belong to either clean hosts or a leading security company, making detection and attribution more difficult. One public Monero pool service was found in the configuration file but wasn’t used by the miner in runtime. The attacker’s Monero wallet showed an annual expected profit of almost $4,500 USD per worker, much higher than the typical $200 USD per worker.”

The blog post contained a map of compromised Redis instances, the majority of which appear to be in the Asia Pacific region, the U.S. and Western Europe.

Aqua Security made multiple recommendations in its post, such as ensuring Redis instances have configurations aligned with security best practices and initiating incident response should there be evidence of server compromise.

Redis did not respond to TechTarget Editorial’s request for comment at press time.

Alexander Culafi is a writer, journalist and podcaster based in Boston.