Headcrab

Malware Profile Updated 25 days ago
Download STIX
Preview STIX
HeadCrab is a sophisticated malware that targets Redis servers, a popular in-memory data structure store often used as a database or cache. First detected by Aqua Security in September 2021, HeadCrab has evolved to operate in memory, making it harder for antivirus systems to detect. It is estimated to have infected over 1,200 Redis servers globally. The malware typically gains access when system administrators leave Redis servers open to external connections without proper authentication. Once infiltrated, HeadCrab installs a botnet to mine cryptocurrency. The unique feature of the HeadCrab malware is its "mini blog", where the author shares technical details about the malware and leaves an anonymous Proton Mail email address. This malware can control a function and send a response, although it's not considered a traditional rootkit. It has been linked to other attacks involving Kinsing, P2PInfect, Skidmap, Migo, and more. In previous campaigns, researchers from Aqua found that threat actors infected over 1,200 Redis servers with a cryptominer using this almost undetectable malware tool. To protect against HeadCrab infections, organizations are advised to regularly scan for vulnerabilities and misconfigurations in their servers and use protected mode in Redis. The malware infects a Redis server when the attacker uses the SLAVEOF command, downloads a malicious module, and runs two new files: a cryptominer and a configuration file. As such, due diligence and regular monitoring of Redis servers are critical to prevent potential breaches.
What's your take? (Question 1 of 5)
8b34b0ce-7d42-4c56-b943-360d3e2192b8 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Botnet
Redis
Malware
Rootkit
Cryptominer
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ProtonUnspecified
2
Proton is a malicious software or malware that can infiltrate systems and cause harm by stealing personal information, disrupting operations, or even holding data for ransom. It was found embedded in several components of ProtonVPN, a service offered by Swiss-based company Proton Technologies AG. Th
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Headcrab Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
พบมัลแวร์ HeadCrab มุ่งเป้าโจมตี Redis Server
CERT-EU
6 months ago
'HeadCrab' Malware Variants Commandeer Thousands of Servers
DARKReading
6 months ago
'HeadCrab' Malware Variants Commandeer Thousands of Servers
CERT-EU
a year ago
Google puts $1M behind its mining-malware detection promise
CERT-EU
a year ago
Patches, crooks, spies, privateers, and mercenaries
CERT-EU
a year ago
New Cryptojacking Campaign Leverages Misconfigured Redis Database Servers
CSO Online
a year ago
Fileless attacks surge as cybercriminals evade cloud security defenses
CERT-EU
10 months ago
New P2PInfect Worm Targets Redis Servers with Undocumented Breach Methods
DARKReading
2 months ago
Expired Redis Service Abused to Use Metasploit Meterpreter Maliciously
CERT-EU
10 months ago
P2PInfect: New Peer-to-Peer Worm Targeting Redis Servers
CERT-EU
a year ago
Memory-based attacks increase as attackers dodge cloud defenses
DARKReading
3 months ago
Cloud-y Linux Malware Rains on Apache, Docker, Redis & Confluence