Warning about two new malware variants: SwiftSlicer and HeadCrab
by Tina Siering
Wiper malware "SwiftSlicer" encrypts data irretrievably
In October 2022, security researchers from Eset Threat Research came across a previously unknown malware that was used against a Ukrainian energy company. The malware, named "SwiftSlicer", belongs to the group of so-called wipers, a converted ransomware.
Ransomware attacks are usually accompanied by data encryption and ransom demands. This is not the case with wiper malware. Once encrypted, data is irretrievably lost. Worse still, wiper malware does not always "just" encrypt. True to the root word "to wipe out", wiper malware is capable of destroying entire hard disks or boot sectors necessary for operation. Cyber criminals who use wiper malware like "SwiftSlicer" do not act out of financial motivation. The only reason for cyber attacks with wiper malware is the permanent and comprehensive destruction of the affected systems.
Since the beginning of 2023, there has been a further, significant increase in Wiper malware, and the malware was also already active during the ongoing Ukraine war in 2022. The Eset researchers suspect the hackers around "Sandworm", a grouping of the Russian military intelligence service GRU also known as "Unit 74455", to be behind "SwiftSlicer". State-financed cyber attacks as part of hybrid warfare are not an unlikely explanation in this context.
"HeadCrab" attacks Redis databases
HeadCrab" is less destructive, but all the more discreet. The new malware, first discovered by Team Nautilus, Aqua Security's research unit, has apparently been circulating since the end of 2021. The name "HeadCrab" is based on a fictitious, parasitic life form from the computer game Half-Life. Anyone familiar with the classic game will quickly recognise parallels between the parasite and the malware: Both versions are difficult to detect, absolutely inconspicuous and masters of manipulation. While the HeadCrabs from the computer game target the human nervous system, the malware targets Redis database servers. Redis is an open source in-memory database with a simple key-value data structure from the NoSQL database family.
Redis can be used as a database, message broker or cache and is the most widely used key-value store in the world. Redis servers are particularly fast - and particularly vulnerable. This is because the servers were originally not intended to connect to the internet, but to be operated exclusively in closed networks. Standard authentication is not activated on Redis, which makes them particularly vulnerable. The HeadCrab malware has been exploiting the vulnerability worldwide since September 2021 and has compromised around 1,200 Redis servers to date. In the process, HeadCrab remains under the radar of IT security officers, because conventional antivirus solutions cannot detect the malware. Currently affected are Redis servers in India, China and Malaysia as well as the USA, Great Britain and Germany.
This is the procedure for a HeadCrab attack: First, a Redis server is taken over and controlled by the attackers via slave-of-command - and set as a slave server for another Redis server. This master server then initiates a synchronisation of the slave server. This downloads the HeadCrab malware to the affected host. HeadCrab thus functions "agentlessly".
The malware acts in the best possible disguise and thus fulfils exactly its purpose: to build up a botnet as long as possible, undetected, which serves exclusively to mine the cryptocurrency Monero!
Protection against cyberattacks
"SwiftSlicer" and "HeadCrab" pursue different goals, but are similar in one respect: both malware variants are undetectable exclusively with the use of protection tools.
With the Active Cyber Defense (ACD) service from Allgeier secion, a Managed Detection and Response (MDR) service is available that specialises in the early detection of malicious activities within networks.
The security analysts take over the all-round monitoring of all network systems and alerts and can identify and prioritise them in advance on the basis of a permanent threat analysis. The 24/7 fully managed service delivers a high level of IT security, as it focuses on proactive early detection of attacks in the network (cyber threat hunting). Successful cyber attacks are detected at an early stage - major damage is avoided. If anomalies or malicious communication patterns are detected at network level, Allgeier secion immediately informs its customers and recommends action.All endpoints within the network are monitored - from desktop computers to laptops and mobile devices to IoT devices. BYOD or ICS.
The year 2023 is still young - and already marked by two new and very aggressive malware variants. While "SwiftSlicer" destroys compromised systems irretrievably - and is thus presumably used as a possible weapon in Russia's hybrid war against Ukraine, "HeadCrab" is less destructive, but all the more insidious. "HeadCrab" operates under the radar of conventional protection systems, infects reddit servers and operates botnets with the aim of crypto mining.
In any case, it remains important that cyberattacks are detected immediately after the first compromise. This is possible with Active Cyber Defense from Allgeier secion: the Managed Detection and Response (MDR) service monitors your network around the clock, enabling proactive protection against cyberattacks.