'HeadCrab' Malware Variants Commandeer Thousands of Servers

BLACK HAT EUROPE 2023 — London — The HeadCrab malware, which adds infected devices to a botnet for use in cryptomining and other attacks, has resurfaced with a shiny new variant that controls responses and has rootkit-like actions.

Researchers from Aqua Security said the second variant of cryptomining malware has infected 1,100 servers; the first variant had already infected at least 1,200 servers.

The Root to Redis?

Security researcher Asaf Eitani, who is part of Team Nautilus, Aqua Security's research team, tells Dark Reading that while HeadCrab is not a traditional rootkit, the creator of the malware has added the ability for it to control a function and send a response.

"Basically, that's a rootkit behavior in the sense that he controls all the responses for those places," Eitani says. "So he can just modify the response and become invisible."

Eitani adds, "The tradition of the term rootkit is malware that has root access and controls everything, but in this sense you are able to control what the user sees."

Second Variant

The new variant comes with minor updates that allow an attacker to better hide their actions by removing custom commands and adding encryption to the command and control infrastructure.

"[We believe] he is still modifying it, and we expect to find a newer version of this malware and to see the way the way that he reacts to our publication [of further details]," Eitani says. "He has not given up."

Details of both variants were shared today in a presentation by Eitani and his colleague, senior data analyst Nitzan Yaakov.

Talking Back

A particularly unique element of HeadCrab is a "mini blog" inside the malware, where the malware's author wrote technical details of the malware and left a Proton Mail email address to remain anonymous.

Aqua Security researchers used the email to contact the HeadCrab creator — who went by the code name Ice9 — but were unable to determine his name or location. However, Ice9 told the researchers that they were the first people to email him.

In email conversations with the researchers, Ice9 said the malware does not hugely reduce server performance, and can remove other malware infections. He also sent the researchers a binary file of the malware, which turned out to be his service enabling credential stealing and additional persistency.

After detecting the second variant, a new message in the mini blog from Ice9 praised the work the Aqua researchers did. "He also mentioned some technical details that we missed from the first version, and the last note was regarding technicalities in the new version and how he got rid of the custom commands," Eitani says.

Ice9 is the only user of HeadCrab, and solely in control of the command and control infrastructure, Eitani notes.

Taking Control

HeadCrab infects a Redis server when the attacker uses the SLAVEOF command, downloads a malicious module, and runs two new files: a cryptominer and a configuration file. The process includes a command that allows administrators to designate a server within a Redis Cluster as a "slave" to another "master" server within the cluster, according to the researchers.

The researchers recommended that organizations scan for vulnerabilities and misconfigurations in their servers, and use protected mode in Redis to reduce the chance for infection from HeadCrab.