Security News > 2023 > February > New HeadCrab malware infects 1,200 Redis servers to mine Monero
New stealthy malware designed to hunt down vulnerable Redis servers online has infected over a thousand of them since September 2021 to build a botnet that mines for Monero cryptocurrency.
"This advanced threat actor utilizes a state-of-the-art, custom-made malware that is undetectable by agentless and traditional anti-virus solutions to compromise a large number of Redis servers," the researchers said.
"We discovered not only the HeadCrab malware but also a unique method to detect its infections in Redis servers. Our method found approximately 1,200 actively infected servers when applied to exposed servers in the wild."
The threat actors behind this botnet take advantage of the fact that Redis servers don't have authentication enabled by default, as they are designed to be used within an organization's network and shouldn't be exposed to Internet access.
Once they gain access to servers that don't require authentication, the malicious actors issue a 'SLAVEOF' command to synchronize a master server under their control to deploy the HeadCrab malware onto the newly hijacked system.
While analyzing the malware, they also found that the attackers mainly use mining pools hosted on previously compromised servers to complicate attribution and detection.