HeadCrab Malware Variants Commandeer Thousands of Servers

  /     /     /  
Publicated : 23/11/2024   Category : security


HeadCrab Malware Variants Commandeer Thousands of Servers


New techniques in a second variant of the malware improved functionality and communication commands.



BLACK HAT EUROPE 2023 — London — The HeadCrab malware, which adds infected devices to a botnet for use in cryptomining and other attacks, has resurfaced with a shiny new variant that controls responses and has rootkit-like actions.
Researchers from Aqua Security said the second variant of cryptomining malware has infected 1,100 servers; the
first variant
had already infected at least 1,200 servers.
Security researcher Asaf Eitani, who is part of Team Nautilus, Aqua Securitys research team, tells Dark Reading that while HeadCrab is not a traditional rootkit, the creator of the malware has added the ability for it to control a function and send a response.
Basically, thats a rootkit behavior in the sense that he controls all the responses for those places, Eitani says. So he can just modify the response and become invisible.
Eitani adds, The tradition of the term
rootkit
is malware that has root access and controls everything, but in this sense you are able to control what the user sees.
The new variant comes with minor updates that allow an attacker to better hide their actions by removing custom commands and adding encryption to the command and control infrastructure.
[We believe] he is still modifying it, and we expect to find a newer version of this malware and to see the way the way that he reacts to our publication [of further details], Eitani says. He has not given up.
Details of both variants were shared today in a
presentation
by Eitani and his colleague, senior data analyst Nitzan Yaakov.
A particularly unique element of HeadCrab is a mini blog inside the malware, where the malwares author wrote technical details of the malware and left a Proton Mail email address to remain anonymous.
Aqua Security researchers used the email to contact the HeadCrab creator — who went by the code name Ice9 — but were unable to determine his name or location. However, Ice9 told the researchers that they were the first people to email him.
In email conversations with the researchers, Ice9 said the malware does not hugely reduce server performance, and can remove other malware infections. He also sent the researchers a binary file of the malware, which turned out to be his service enabling credential stealing and additional persistency.
After detecting the second variant, a new message in the mini blog from Ice9 praised the work the Aqua researchers did. He also mentioned some technical details that we missed from the first version, and the last note was regarding technicalities in the new version and how he got rid of the custom commands, Eitani says.
Ice9 is the only user of HeadCrab, and solely in control of the command and control infrastructure, Eitani notes.
HeadCrab infects a Redis server when the attacker uses the
SLAVEOF
command, downloads a malicious module, and runs two new files: a
cryptominer
and a configuration file. The process includes a command that allows administrators to designate a server within a Redis Cluster as a slave to another master server within the cluster, according to the researchers.
The researchers recommended that organizations scan for vulnerabilities and misconfigurations in their servers, and use protected mode in Redis to reduce the chance for infection from HeadCrab.

Last News

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security

▸ Car Sector Speeds Up In Security. ◂
Discovered: 23/12/2024
Category: security

▸ Making use of a homemade Android army ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
HeadCrab Malware Variants Commandeer Thousands of Servers