Feb 01, 2024NewsroomCryptocurrency / Botnet

Cybersecurity researchers have detailed an updated version of the malware HeadCrab that’s known to target Redis database servers across the world since early September 2021.

The development, which comes exactly a year after the malware was first publicly disclosed by Aqua, is a sign that the financially-motivated threat actor behind the campaign is actively adapting and refining their tactics and techniques to stay ahead of the detection curve.

The cloud security firm said that “the campaign has almost doubled the number of infected Redis servers,” with an additional 1,100 compromised servers, up from 1,200 reported at the start of 2023.

HeadCrab is designed to infiltrate internet-exposed Redis servers and wrangle them into a botnet for illicitly mining cryptocurrency, while also leveraging the access in a manner that allows the threat actor to execute shell commands, load fileless kernel modules, and exfiltrate data to a remote server.

While the origins of the threat actor are presently not known, they make it a point to note in a “mini blog” embedded into the malware that the mining activity is “legal in my country” and that they do it because “it almost doesn’t harm human life and feelings (if done right).”

The operator, however, acknowledges that it’s a “parasitic and inefficient way” of making money, adding their aim is to make $15,000 per year.

“An integral aspect of the sophistication of HeadCrab 2.0 lies in its advanced evasion techniques,” Aqua researchers Asaf Eitani and Nitzan Yaakov said. “In contrast to its predecessor (named HeadCrab 1.0), this new version employs a fileless loader mechanism, demonstrating the attacker’s commitment to stealth and persistence.”

It’s worth noting that the previous iteration utilized the SLAVEOF command to download and save the HeadCrab malware file to disk, thereby leaving artifact traces on the file system.

HeadCrab 2.0, on the other hand, receives the malware’s content over the Redis communication channel and stores it in a fileless location in a bid to minimize the forensic trail and make it much more challenging to detect.

Also changed in the new variant is the use of the Redis MGET command for command-and-control (C2) communications for added covertness.

“By hooking into this standard command, the malware gains the ability to control it during specific attacker-initiated requests,” the researchers said.

“Those requests are achieved by sending a special string as an argument to the MGET command. When this specific string is detected, the malware recognizes the command as originating from the attacker, triggering the malicious C2 communication.”

Describing HeadCrab 2.0 as an escalation in the sophistication of Redis malware, Aqua said its ability to masquerade its malicious activities under the guise of legitimate commands poses new problems for detection.

“This evolution underscores the necessity for continuous research and development in security tools and practices,” the researchers concluded. “The engagement by the attacker and the subsequent evolution of the malware highlights the critical need for vigilant monitoring and intelligence gathering.”

Jan 25, 2024NewsroomFileless Malware / Endpoint Security

Cybersecurity researchers have uncovered an updated version of a backdoor called LODEINFO that’s distributed via spear-phishing attacks.

The findings come from Japanese company ITOCHU Cyber & Intelligence, which said the malware “has been updated with new features, as well as changes to the anti-analysis (analysis avoidance) techniques.”

LODEINFO (versions 0.6.6 and 0.6.7) was first documented by Kaspersky in November 2022, detailing its capabilities to execute arbitrary shellcode, take screenshots, and exfiltrate files back to an actor-controlled server.

A month later, ESET disclosed attacks targeting Japanese political establishments that led to the deployment of LODEINFO.

The backdoor is the work of a Chinese nation-state actor known as Stone Panda (aka APT10, Bronze Riverside, Cicada, Earth Tengshe, MirrorFace, and Potassium), which has a history of orchestrating attacks targeting Japan since 2021.

Attack chains commence with phishing emails bearing malicious Microsoft Word documents that, when opened, execute VBA macros to launch downloader shellcode capable of ultimately executing the LODEINFO implant.

LODEINFO infection paths in 2023 have also been observed making use of remote template injection methods to retrieve and execute malicious macros hosted on the adversary’s infrastructure every time the victim opens a lure Word document containing the template.

What’s more, checks are said to have been added sometime around June 2023 to verify the language settings of Microsoft Office to determine if it’s Japanese, only for it to be removed a month later in attacks leveraging LODEINFO version 0.7.1.

“In addition, the filename of the maldoc itself has been changed from Japanese to English,” ITOCHU noted. “From this, we believe that v0.7.1 was likely used to attack environments in languages other than Japanese.”

Another notable change in attacks delivering LODEINFO version 0.7.1 is the introduction of a new intermediate stage that involves the shellcode downloader fetching a file that masquerades as a Privacy-Enhanced Mail (PEM) from a C2 server, which, in turn, loads the backdoor directly in memory.

The downloader shares similarities with a known fileless downloader dubbed DOWNIISSA based on the self-patching mechanism to conceal malicious code, encoding method for command-and-control (C2) server information, and the structure of the data decrypted from the fake PEM file.

“LODEINFO backdoor shellcode is a fileless malware that allows attackers to remotely access and operate infected hosts,” the company said, with samples found in 2023 and 2024 incorporating extra commands. The latest version of LODEINFO is 0.7.3.

“As a countermeasure, since both the downloader shellcode and the backdoor shellcode of LODEINFO are fileless malware, it is essential to introduce a product that can scan and detect malware in memory in order to detect it,” it added.