Threat actors developed the new HeadCrab malware to track vulnerable Redis servers online to build a botnet that could mine the Monero crypto.
Researchers disclosed that this evasive malware has already impacted more than 1,200 servers, which are used to look for more targets on the internet. Based on reports, the malware operators exploit the Redis servers since it does not have an authentication feature enabled by default.
The developers did not include any authentication feature for their servers as it should be only used within an organisation’s network and should not be exposed online.
Hence, attackers could effortlessly infect and hijack these servers by using malicious tools or malware strains if administrators do not secure them and configure them to be accessible on the internet.
Threat actors are scouring the internet to look for exposed Redis servers and deploy their HeadCrab malware.
Once threat actors acquire access to servers that do not include authentication, they could issue a command to sync a master server under their control to launch the HeadCrab malware.
Subsequently, HeadCrab could give its operators all functionalities that could aid them in taking over the targeted server and adding a cryptomining botnet.
The malware could also operate in the memory of the compromised network to avoid security detections. Furthermore, the HeadCrab malware could also delete all logs and only communicates with other servers used by its attackers to bypass security scans.
On the other hand, the researchers discovered that the threat actors primarily use mining pools stored on previously infected servers to avoid tracking from analysts and detection from security defenders.
In addition, the Monero cryptocurrency wallet related to this botnet revealed that the HeadCrab operators had gathered approximately $4,500 per worker as an annual profit. This data showed that it is higher than the average operation that uses a similar technique.
Cybersecurity experts suggest that administrators ensure that only their clients inside their networks can access the servers to defend against the recent Redis exploit. They could also disable the “slaveof” feature and activate the protected mode.
These methods could help them configure the instance to respond exclusively to the loopback address and refuse connections from other IP addresses.
