How much do cybercriminals earn on a large-scale network of thousands of compromised servers?
A few days ago, researchers from Aqua Security published data about an updated version of the HeadCrab malware, which attacks Redis database servers around the world from September 2021. The appearance of the updated malware became known exactly one year after the first public description of HeadCrab.
Aqua Security experts reported that since then, the campaign to infect Redis servers has almost doubled — now the number of compromised systems has reached 2,300. For comparison, at the beginning of 2023, about 1,200 infected hosts were recorded.
The HeadCrab malware was designed specifically to infiltrate open Redis networks and use their computing power for illegal cryptocurrency mining. In addition, attackers gain access to infected machines to execute arbitrary commands, load fileless modules into the OS kernel, and exfiltrate data.
Despite the scale of the campaign, the identity of the perpetrators has not yet been established. It is noteworthy that the HeadCrab program itself has a mini-blog built in, where attackers share news about themselves and their malware. There, hackers report that their activities, although they can be called parasitic, nevertheless, they do not harm people. As a target, the attackers reported a desire to earn $15,000 per year (~115 thousand rubles per month) on mining.
HeadCrab 2.0 uses sophisticated methods to hide malicious activity. Unlike the first version, file-less loading is now used to deploy the malware, which reduces the number of traces in the file system and makes analysis more difficult.
The protocol of communication with the command server has also been changed — instead of separate commands, the standard Redis MGET command is now used. This allows you to disguise traffic as legitimate.
According to Aqua Security researchers, HeadCrab 2.0 demonstrates a significant complication of attack concealment mechanisms compared to the first version. This creates additional difficulties for behavioral analysis-based detection systems.
This evolution of malware requires constant improvement of security tools and detection of new threats. It is extremely important to continuously monitor such campaigns, collect and analyze telemetry for timely detection of modified versions.
You can protect Redis servers by regularly updating the software, restricting external access, and analyzing traffic and logs for malicious activity. Only a comprehensive approach will significantly reduce the risk of infection.
A few days ago, researchers from Aqua Security published data about an updated version of the HeadCrab malware, which attacks Redis database servers around the world from September 2021. The appearance of the updated malware became known exactly one year after the first public description of HeadCrab.
Aqua Security experts reported that since then, the campaign to infect Redis servers has almost doubled — now the number of compromised systems has reached 2,300. For comparison, at the beginning of 2023, about 1,200 infected hosts were recorded.
The HeadCrab malware was designed specifically to infiltrate open Redis networks and use their computing power for illegal cryptocurrency mining. In addition, attackers gain access to infected machines to execute arbitrary commands, load fileless modules into the OS kernel, and exfiltrate data.
Despite the scale of the campaign, the identity of the perpetrators has not yet been established. It is noteworthy that the HeadCrab program itself has a mini-blog built in, where attackers share news about themselves and their malware. There, hackers report that their activities, although they can be called parasitic, nevertheless, they do not harm people. As a target, the attackers reported a desire to earn $15,000 per year (~115 thousand rubles per month) on mining.
HeadCrab 2.0 uses sophisticated methods to hide malicious activity. Unlike the first version, file-less loading is now used to deploy the malware, which reduces the number of traces in the file system and makes analysis more difficult.
The protocol of communication with the command server has also been changed — instead of separate commands, the standard Redis MGET command is now used. This allows you to disguise traffic as legitimate.
According to Aqua Security researchers, HeadCrab 2.0 demonstrates a significant complication of attack concealment mechanisms compared to the first version. This creates additional difficulties for behavioral analysis-based detection systems.
This evolution of malware requires constant improvement of security tools and detection of new threats. It is extremely important to continuously monitor such campaigns, collect and analyze telemetry for timely detection of modified versions.
You can protect Redis servers by regularly updating the software, restricting external access, and analyzing traffic and logs for malicious activity. Only a comprehensive approach will significantly reduce the risk of infection.
