How To Stop and Remove HeadCrab Malware

A research team with security company Aqua Nautilus has found a dangerous and cunning malware called HeadCrab that has been infiltrating servers worldwide since late 2021. This cutting-edge threat makes use of a custom-made, hard-to-detect malware to compromise Redis servers, and has taken control of at least 1,200 servers. The HeadCrab malware is able to bypass agentless and conventional anti-virus solutions.

What is Redis - the platform targeted by HeadCrab attacks

Redis is an open-source in-memory data store that can be used as a database, cache, or message broker. As it's meant to run on a secure, closed network, default Redis servers that are accessible from the internet are susceptible to unauthorized access and command execution. The Redis Cluster allows for data to be automatically divided and stored across multiple nodes, with a Master and Slave servers for easy data replication and synchronization. A server can be designated as a Slave using the SLAVEOF command, allowing it to synchronize with the Master, including downloading any modules present on the Master. Redis modules are executable Shared Object files that extend the functionality of the server. Modules are uploaded and loaded onto a server via the Redis port using the MODULE LOAD command.

Redis servers have been targeted by attackers in recent years due to misconfigurations and vulnerabilities. As the popularity of Redis servers has grown, so has the frequency of attacks, with incidents like the Redigo malware and TeamTNT targeting Redis servers.

The attack on a honeypot server operated by Aqua Nautilus started with the attacker targeting a Redis server. The server was eventually compromised when the SLAVEOF command was used to set it as a Slave of another Redis server controlled by the attacker. The Master initiated a synchronization of the Slave, which in turn downloaded the HeadCrab malware as a malicious Redis module onto the Slave honeypot server. This tactic has been used by attackers to load malicious Redis modules onto affected hosts.

The HeadCrab malware is a highly advanced and intricate threat. Constructed as a malevolent Redis module framework, it has a multitude of options and abilities.

HeadCrab's unique profile and behavior

The HeadCrab sample encountered by Aqua Nautilus has not produced any results on Virus Total using its MD5 checksum. Despite attempts to obtain additional specimens, the team was unsuccessful, which strengthens the belief that this is a highly elusive and original malware.

At the beginning of its execution, the malware uses the RedisModule_OnLoad function which is activated when the Redis server loads the module. The malware then stores the addresses of essential Redis API functions for future use and verifies if a module named rds is already loaded. If it is, the malware will immediately stop without carrying out any malicious activities.

The module can be loaded with two arguments or magic numbers which are actually two global magic numbers that serve as encryption keys and to confirm that the user is indeed the threat actor. Later, the malware can modify these magic numbers in various parts of its execution. The module can be loaded with or without the magic numbers, and this will impact some of the malware's capabilities during execution.

The harmful software identifies the route to the dynamic loading component, allowing it to run programs. By supplying the desired executable as a parameter, the dynamic loading component can run processes under its own name. This technique can sidestep security measures that identify harmful files by scrutinizing the execution of processes. Being a genuine binary, the dynamic loading component is not recognized as malicious, and the malware can conceal itself from these security measures.