The HeadCrab malware, known for incorporating infected devices into a botnet for various cyber activities, has reappeared with a novel variant that grants root access to Redis open source servers.
According to findings by Aqua Security researchers, the second version of this cryptomining malware has impacted 1,100 servers, with the initial variant having already compromised a minimum of 1,200 servers.
Asaf Eitani, a security researcher from Team Nautilus, Aqua Security's research team, clarified that while HeadCrab doesn't conform to the typical rootkit, its creator has endowed it with the capability to manipulate a function and generate responses. In essence, this mirrors rootkit behavior as it gains control over responses, allowing it to modify and remain undetected.
Eitani explained, "The tradition of the term rootkit is malware that has root access and controls everything, but in this sense, you are able to control what the user sees."
The updated variant includes subtle adjustments enabling attackers to better conceal their activities. Custom commands have been removed, and encryption has been integrated into the command and control infrastructure, enhancing stealth.
A distinctive feature of HeadCrab is a "mini blog" within the malware, where the author, operating under the pseudonym Ice9, provides technical details about the malware and leaves a Proton Mail email address for anonymity.
While Aqua Security researchers contacted Ice9, they were unable to ascertain his identity or location. Ice9 claimed they were the first to reach out and insisted that the malware doesn't impair server performance, asserting its ability to eliminate other malware infections. Ice9 praised the researchers in the mini blog after they discovered the second variant.
Notably, Ice9 is the sole user of HeadCrab and exclusively manages the command and control infrastructure.
HeadCrab infiltrates a Redis server when an attacker utilizes the SLAVEOF command, downloads a malicious module, and executes two new files—a cryptominer and a configuration file. Aqua Security researchers advise organizations to conduct scans for vulnerabilities and misconfigurations in their servers and implement protected mode in Redis to minimize the risk of HeadCrab infection.
