Scores of Redis Servers Infested by Sophisticated Custom-Built Malware

At least 1,200 Redis servers worldwide have been infected with "HeadCrab" cryptominers since 2021.

Jai Vijayan, Dark Reading

February 3, 2023

2 Min Read
padlock
Alamy

An unknown threat actor has been quietly mining Monero cryptocurrency on open source Redis servers around the world for years, using a custom-made malware variant that is virtually undetectable by agentless and conventional antivirus tools.

Since September 2021, the threat actor has compromised at least 1,200 Redis servers — that thousands of mostly smaller organizations use as a database or a cache — and taken complete control over them. Researchers from Aqua Nautilus, who spotted the campaign when an attack hit one of its honeypots, are tracking the malware as "HeadCrab."

Sophisticated, Memory-Resident Malware

In a blog post this week, the security vendor described HeadCrab as memory-resident malware that presents an ongoing threat to Internet-connected Redis servers. Many of these servers don't have authentication enabled by default because they are meant to run on secure, closed networks.

Aqua's analysis of HeadCrab showed that the malware is designed to take advantage of how Redis works when replicating and synchronizing data stored across multiple nodes within a Redis Cluster. The process involves a command that basically allows administrators to designate a server within a Redis Cluster as a "slave" to another "master" server within the cluster. Slave servers synchronize with the master server and perform a variety of actions, including downloading any modules that might be present on the master server. Redis modules are executable files that administrators can use to enhance the functionality of a Redis server.

Related:8 Proactive Cybersecurity Technologies to Watch in 2023

Aqua's researchers found HeadCrab exploiting this process to load a cryptocurrency miner on Internet-exposed Redis systems. With the attack on its honeypot, the threat actor, for instance, used the legitimate SLAVEOF Redis command to designate the Aqua honeypot as the slave of an attacker-controlled master Redis server. The master server then initiated a synchronization process in which the threat actor downloaded a malicious Redis module containing the HeadCrab malware.

Continue reading this article on Dark Reading

Read more about:

Dark Reading

About the Author(s)

Jai Vijayan

Jai Vijayan

Contributing writer, Dark Reading

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a senior editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics including big data, Hadoop, Internet of Things, e-voting and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a master's degree in statistics and lives in Naperville, Illinois.

See more from Jai Vijayan
Dark Reading

Dark Reading

Long one of the most widely read cyber security news sites on the Web, Dark Reading, a sister site to ITPro Today, is now the most trusted online community for security professionals like you. Dark Reading's community members include thought-leading security researchers, CISOs, and technology specialists, along with thousands of other security professionals.

See more from Dark Reading
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Newsletter Sign-Up

You May Also Like

Editor's Choice

person holding a smartphone that shows a document icon and a checkmark
Regulatory Compliance
Master IT Compliance: Key Standards and Risks ExplainedMaster IT Compliance: Key Standards & Risks Explained
byBrien Posey
Jul 19, 2024
5 Min Read
Laws and regulations with padlock on cloud icons on laptop computer screen
Cloud Computing
What Is a Sovereign Cloud and Who Truly Benefits From It?What Is a Sovereign Cloud and Who Truly Benefits From It?
byChristopher Tozzi
Jul 18, 2024
6 Min Read
robot and human fingers touching
Career Management
Employees Beginning to See Benefits of AI Autonomy in the WorkplaceEmployees Beginning to See Benefits of AI Autonomy in the Workplace
byNathan Eddy
Jul 3, 2024
4 Min Read
Exclusive ITPro Resources
See all ITPro Resources

Featured How Tos

hand touches red cube via HoloLens view alongside diagram showing the app deployment workflow
Digital Transformation
How To Deploy Your App on Microsoft HoloLens 2How To Deploy Your App on Microsoft HoloLens 2
ITPro Today Data Privacy Quick Reference Guide cover image
Data Privacy
Data Privacy Quick Reference GuideData Privacy Quick Reference Guide
screenshot of unity software and a text object with the words Hello World
Digital Transformation
How To Build Apps for HoloLens 2 DevicesHow To Build Apps for Hololens 2 Devices
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Newsletter Sign-Up
Trending

Recent What Is

person holding a smartphone that shows a document icon and a checkmark
Regulatory Compliance
Master IT Compliance: Key Standards and Risks ExplainedMaster IT Compliance: Key Standards & Risks Explained
Laws and regulations with padlock on cloud icons on laptop computer screen
Cloud Computing
What Is a Sovereign Cloud and Who Truly Benefits From It?What Is a Sovereign Cloud and Who Truly Benefits From It?