Warning about two new malware variants: SwiftSlicer and HeadCrab

"HeadCrab" attacks Redis databases

HeadCrab" is less destructive, but all the more discreet. The new malware, first discovered by Team Nautilus, Aqua Security's research unit, has apparently been circulating since the end of 2021. The name "HeadCrab" is based on a fictitious, parasitic life form from the computer game Half-Life. Anyone familiar with the classic game will quickly recognise parallels between the parasite and the malware: Both versions are difficult to detect, absolutely inconspicuous and masters of manipulation. While the HeadCrabs from the computer game target the human nervous system, the malware targets Redis database servers. Redis is an open source in-memory database with a simple key-value data structure from the NoSQL database family.

Redis can be used as a database, message broker or cache and is the most widely used key-value store in the world. Redis servers are particularly fast - and particularly vulnerable. This is because the servers were originally not intended to connect to the internet, but to be operated exclusively in closed networks. Standard authentication is not activated on Redis, which makes them particularly vulnerable. The HeadCrab malware has been exploiting the vulnerability worldwide since September 2021 and has compromised around 1,200 Redis servers to date. In the process, HeadCrab remains under the radar of IT security officers, because conventional antivirus solutions cannot detect the malware. Currently affected are Redis servers in India, China and Malaysia as well as the USA, Great Britain and Germany.

This is the procedure for a HeadCrab attack: First, a Redis server is taken over and controlled by the attackers via slave-of-command - and set as a slave server for another Redis server. This master server then initiates a synchronisation of the slave server. This downloads the HeadCrab malware to the affected host. HeadCrab thus functions "agentlessly".

The malware acts in the best possible disguise and thus fulfils exactly its purpose: to build up a botnet as long as possible, undetected, which serves exclusively to mine the cryptocurrency Monero!

Protection against cyberattacks

"SwiftSlicer" and "HeadCrab" pursue different goals, but are similar in one respect: both malware variants are undetectable exclusively with the use of protection tools.

With the Active Cyber Defense (ACD) service from Allgeier secion, a Managed Detection and Response (MDR) service is available that specialises in the early detection of malicious activities within networks.

The security analysts take over the all-round monitoring of all network systems and alerts and can identify and prioritise them in advance on the basis of a permanent threat analysis. The 24/7 fully managed service delivers a high level of IT security, as it focuses on proactive early detection of attacks in the network (cyber threat hunting). Successful cyber attacks are detected at an early stage - major damage is avoided. If anomalies or malicious communication patterns are detected at network level, Allgeier secion immediately informs its customers and recommends action.All endpoints within the network are monitored - from desktop computers to laptops and mobile devices to IoT devices. BYOD or ICS.

Conclusion

The year 2023 is still young - and already marked by two new and very aggressive malware variants. While "SwiftSlicer" destroys compromised systems irretrievably - and is thus presumably used as a possible weapon in Russia's hybrid war against Ukraine, "HeadCrab" is less destructive, but all the more insidious. "HeadCrab" operates under the radar of conventional protection systems, infects reddit servers and operates botnets with the aim of crypto mining.

In any case, it remains important that cyberattacks are detected immediately after the first compromise. This is possible with Active Cyber Defense from Allgeier secion: the Managed Detection and Response (MDR) service monitors your network around the clock, enabling proactive protection against cyberattacks.

Need help upgrading your IT security for 2023? Contact us!