December 7, 2023 at 01:57PM
A new version of HeadCrab malware targets Redis servers for cryptomining and further attacks, with over 1,100 additional infections reported by Aqua Security. The malware now has enhanced ability to hide its presence, and its sole user, Ice9, has interacted with researchers via a built-in “mini blog.” Security enhancements in Redis are advised to prevent further spread.
Takeaways from the Black Hat Europe 2023 meeting:
1. **Resurgence of HeadCrab Malware:** The malware known as HeadCrab, which infects devices to add them to a botnet primarily for the purpose of cryptomining, has emerged again with a new variant. This variant notably allows root access to Redis open source servers.
2. **Infection Count:** The first variant of HeadCrab compromised at least 1,200 servers, and the second variant has infected approximately 1,100 servers.
3. **Characteristics of the Malware:** The malware, while not traditionally categorized as a rootkit, possesses functionality allowing control over server responses, effectively rendering the malware invisible to users.
4. **Updates in The Second Variant:** Enhancements in the second iteration include the ability of attackers to conceal their actions by deleting custom commands and implementing encryption within the command and control structure.
5. **Ongoing Development:** The malware creator, referred to as Ice9, is believed to be continually evolving the malware. Researchers anticipate the emergence of newer versions and the potential adjustments following the publication of research findings.
6. **Unique Communication Feature:** HeadCrab’s latest variant contains a ‘mini blog’ where Ice9 shared technical details and provided a Proton Mail address for anonymous communication.
7. **Researcher Interaction:** The malware author communicated with Aqua Security researchers, asserting the malware does not degrade server performance and can eliminate other malware. Ice9 also provided a hash of the malware for analysis.
8. **Control and Usage:** The creator Ice9 is uniquely managing the HeadCrab botnet, without external user involvement. He controls the command and control infrastructure solely.
9. **Infection Mechanism:** HeadCrab exploits the Redis server by utilizing the SLAVEOF command, downloading a malicious module, and executing a cryptominer along with a configuration file.
10. **Preventive Recommendations:** Organizations are advised to scan for server vulnerabilities and configuration errors, and to employ protected mode in Redis as precautions against HeadCrab infections.
The presentation notably included a focus on the method of contact between the researchers and the malware creator, and the ongoing dialogue which uncovered additional technical insights.