BLACK HAT EUROPE 2023 — London — The HeadCrab malware, which provides contaminated units to a botnet to be used in cryptomining and different assaults, has resurfaced with a shiny new variant that controls responses and has rootkit-like actions.
Researchers from Aqua Safety stated the second variant of cryptomining malware has contaminated 1,100 servers; the first variant had already contaminated no less than 1,200 servers.
The Root to Redis?
Safety researcher Asaf Eitani, who’s a part of Staff Nautilus, Aqua Safety’s analysis group, tells Darkish Studying that whereas HeadCrab shouldn’t be a conventional rootkit, the creator of the malware has added the flexibility for it to manage a operate and ship a response.
“Principally, that is a rootkit conduct within the sense that he controls all of the responses for these locations,” Eitani says. “So he can simply modify the response and develop into invisible.”
Eitani provides, “The custom of the time period rootkit is malware that has root entry and controls every part, however on this sense you’ll be able to management what the person sees.”
Second Variant
The brand new variant comes with minor updates that enable an attacker to raised conceal their actions by eradicating customized instructions and including encryption to the command and management infrastructure.
“[We believe] he’s nonetheless modifying it, and we look forward to finding a more moderen model of this malware and to see the best way the best way that he reacts to our publication [of further details],” Eitani says. “He has not given up.”
Particulars of each variants had been shared in the present day in a presentation by Eitani and his colleague, senior information analyst Nitzan Yaakov.
Speaking Again
A very distinctive ingredient of HeadCrab is a “mini weblog” contained in the malware, the place the malware’s creator wrote technical particulars of the malware and left a Proton Mail e-mail handle to stay nameless.
Aqua Safety researchers used the e-mail to contact the HeadCrab creator — who glided by the code title Ice9 — however had been unable to find out his title or location. Nonetheless, Ice9 informed the researchers that they had been the primary folks to e-mail him.
In e-mail conversations with the researchers, Ice9 stated the malware doesn’t massively cut back server efficiency, and might take away different malware infections. He additionally despatched the researchers a binary file of the malware, which turned out to be his service enabling credential stealing and extra persistency.
After detecting the second variant, a brand new message within the mini weblog from Ice9 praised the work the Aqua researchers did. “He additionally talked about some technical particulars that we missed from the primary model, and the final be aware was relating to technicalities within the new model and the way he removed the customized instructions,” Eitani says.
Ice9 is the one person of HeadCrab, and solely accountable for the command and management infrastructure, Eitani notes.
Taking Management
HeadCrab infects a Redis server when the attacker makes use of the SLAVEOF command, downloads a malicious module, and runs two new information: a cryptominer and a configuration file. The method features a command that enables directors to designate a server inside a Redis Cluster as a “slave” to a different “grasp” server inside the cluster, in accordance with the researchers.
The researchers really helpful that organizations scan for vulnerabilities and misconfigurations of their servers, and use protected mode in Redis to scale back the prospect for an infection from HeadCrab.