New HeadCrab Malware Targets Redis Servers

Description

FortiGuard Labs is aware of a report that a new malware "HeadCrab" was deployed to over 1,000 Redis servers around the globe for crypto mining attacks. HeadCrab threat actor reportedly targets internet facing Redis servers that do not require authentication.

Why is this Significant?

This is significant because "HeadCrab" malware was discovered to be installed on over 1,000 compromised Redis severs around the globe. While the main purpose of HeadCrab appears to be for crypto mining operations, an attacker can perform other malicious activities and deploy malware to the affected Redis servers since they are under control of the attacker. As such, vulnerable Redis servers exposed to the internet need to be either taken offline or authentication be enabled.

What is HeadCrab malware?

HeadCrab is a malware that was deployed to internet facing Redis servers which do not require authentication. Once the HeadCrab threat actor finds and compromises a vulnerable Redis server, the compromised server is synchronized with the attacker's master Redis server, which serves HeadCrab malware.

HeadCrab malware receives commands from the attacker's master Redis server and performs activities accordingly. While the threat actor reportedly used HeadCrab for mining Monero crypto currency, it could be used for other malicious activities such as exfiltrating information. Also, threat actors can serve other malware and perform malicious activities on compromised Redis servers.

What is the Status of Protection?

FortiGuard Labs detect known HeadCrab malware samples with the following AV signatures:

• ELF/Miner.AF76!tr
• ELF/Agent.D9F0!tr
• ELF/Agent.E2A0!tr

Appendix

HeadCrab: A Novel State-of-the-Art Redis Malware in a Global Campaign (Aqua Security)