Cloud Native ChannelHunting HeadCrab Malware: In-Depth Redis Security and Threat Analysis
Aqua Nautilus presents a technical deep dive into HeadCrab, a malware campaign that abuses misconfigured Redis for initial access, persistence, and lateral movement. The session traces the attack chain from replica-of abuse to encrypted C2 over Redis, shows the operator’s strong OPSEC and fileless techniques, and analyzes the credential-stealing companion service. It covers the shift in HeadCrab 2.0 from custom commands to hijacking MGET, and shares how our team fingerprinted infections at scale. The talk closes with concrete detection guidance, including Redis protected mode and runtime telemetry with Tracy and Aqua CNDR.
Transcript
Well, good morning, good afternoon, or good evening, depending on where you are in the world. And thank you for joining this learning experience brought to you by aqua security.
My name is Cody, and welcome back to Tech Strong Learning.
So today, we are discussing a redis covering headcrab, a technical analysis of a novel malware and the mind behind it. I'm joined today by SF A Tommy senior security researcher at aqua security.
And we're also joined today by Nitsan Yakov, c security data analyst at Aquas security.
So Nitsan and Asaf, thank you so much joining us today. SF, would you like to take it from here and open up the program?
Yes. Of course. Thank you very much. Welcome everybody, and thank you all for joining us in this exciting, webinar. We will demonstrate how headcrub, attack several, hundred servers worldwide. We're gonna take you through a journey of how we discover them our, and how we were able to communicate with the attacker behind the malware and getting additional insights into the attack.
So, first thing first, let's, take a look at what we're gonna do. So we're gonna take a quick look around Redis, quick introduction to understand, what is our playing ground. And then we're gonna tell you the story of headcrab, how we discovered it, and what of this, what is the technical details are in the, following a section about the technical analysis.
Then we're gonna talk about the C2 infrastructure and the victims, that we are able to detect.
And then we're gonna get to the really juicy part where we talk about the attacker conversations, we're able to extract additional insights from the attacker, and we're able to gain another, binary to to analyze. And then the following session is gonna be the following chapter. It's gonna be about that binary, a little bit of technical diving.
And, to finish it off, we're gonna talk about head scrap two point o.
A new thread that we discover, the new version of the thread, which we recently published a blog about.
So a little bit about ourselves. We're part of the Aqua Nautilus, research team.
Aqua is a cloud native security company. Which, focus mostly on Linux operation system due to the nature of cloud native environment.
So most of our research is done on Linux environments.
We're mostly focused around vulnerability research, threat research, malware analysis, and open source tools development.
And let's take a look about ourselves.
So I'm Safaitani, as Cody mentioned, I'm a senior security researcher at aqua security, and I mostly do low level Linux research as well as malware analysis. And in the past, I've done some incident response. And with me is Natanyako.
Hello, everyone. I'm Mitanyako.
And security data analyst at aqua security.
As part of my work, I do track research and data analysis in order to detect new in the wild and investigate them. One of the tools we use that help us find those, attacks is the honey pots.
A honeypot is a common technique in which we use to, trap, attract attackers to, implement our text on our honeypot, which provide us, to find information about various things as you can see, it allows you to detect new methods and tools, used by the attackers, which provide us information, about immediate threats such as Neomower, and it also provides us indication of malicious indicators associated with the with the attackers such as IP addresses, domains, and hashes. It provides us deeper understanding on the threat landscape focusing on attacker's TTPs, which allows us to see the bigger picture.
During our analysis process, we are, using Aquas OpenSource solution Tracy, Tracy, Tracy is a runtime EVPF threat detection engine, which monitors events on the machine.
You can see here an illustration of, honeypot structure. As you can see, there are several application, that may consist certain vulnerability or configuration.
And on each one of them, Tracy is installed.
Tracy is able to record the attack and identify action performed by those stuckers that later on, analyzed by our team.
As you can see, one of the application here is ready. And today, we will focus on ready. So What is Redis?
Redis is a popular database solution. It supports master slave cluster replication, which means that the master slate can transfer data between one another.
In order to decrease security issues, Redis added a new feature called protected mode, which is designed to prevent from rest instances accepting connection from external hosts. But in case this feature is disabled, which mean there is, a misconfiguration in this instance.
Anonymous login is available, and an attacker can gain the ability to execute commands on our instance.
Redis also boost unique capabilities that as ready's models, which extends the server functionality.
We mentioned ready's models, and ready's models are shared object that as we said extends the server functionality by implementing greatest command with feature, which is similar to what can be done inside the core itself.
RedIS model can be loaded into RedIS at start up by using the RedIS configuration file or a runtime by using, RedIS command model load. Once ready's model, is loaded, it considered part of the ready to process itself and has access to all of its resources.
So we took a glimpse about, readies and get familiar with it. And now let's introduce some, security issue that discovered in twenty eighteen, by a security researcher.
He founded a found a technique in which he was able to use the save of or replica of feature. Save of our common commands in Redis. Replicov can be found in newer versions of Redis. And he present this technique in a conference called zero nights. Let's see how it looks like.
As you can see, we have the victim server.
It already server, colored in red.
Okay.
Sorry for that.
The attackers can the network and identified our misconfigured ready server. He connects to it anonymously and gained the ability to execute commands on our ready server. He decided to turn our server into a slave and execute the slave of command and specify the IP address of the master server.
Our ready server become a replica of the master server and start synchronous with it expecting to receive data from it. However, in our scenario, the master server is malicious, and he sends malicious ready, model disguised as a data file. You can see that he sends the shared object head crop. This shared object is saved to the temp directory, and the name of the model corresponds with the time stamp from the synchronization process. We will get into it on the next slide and see how the attacker used this fact. Now the attacker are able to load the model, to the process and uses the model load command, and the headroom malware is now part of the release process and has access to all of its resources.
We saw how the attack works, and now let's take a look of how the attacks look like in the pickup file.
So the attacker initiate the time release command and receives a time check.
Then as we mentioned, the attacker executes this type of attack and receives okay.
Then once again, the attacker executes the time release command and receives the time check after turning our server into a slave. So by now, the attacker receives the time rates that include inside it, the time stamp from the synchronization process.
As we mentioned, the Reddy's Our Master Server is malicious and he sends malicious Reddy's module disguised as a data file.
The, model name corresponds with the time stamp from the synchronization process, and the attacker used the timer and he received earlier in order to brute force its loading. And you can see here number of attempted attacker performed when it tried to guess the correct timestamp. And at the end, only one model successfully loads.
So by now, you attack your game, the ability to execute command on our ready server, and as you can see, he use it, and you can see that he executes the ID command and receives, the answer from our machine.
Getaga was able to load the malware, and now let's get familiar, with the malware. So the special dish of the day is not a roast chicken despite how it might appear.
Head Club is known from the computer game half life for those who know this computer game.
In this game, Headcrub is a monster which attacks humans and turns them to zombies. And this is essentially what the attacker performed on his attack. He targeted our host, infected it with a malware and spread through the network in order to attack others.
You might also wondering why we decided to name them our headquarters, but the truth is we didn't.
During our investigation, we came across this mini block that the attacker had compiled along with the malware. And as you can see at the beginning, he introduced this tool as crub, and that's how we decided about his name.
Did I also mention that, he initiate is a tech in order to, perform, mining activity. So we understand that, the main motivation is financial gain.
The attacker also, leave an email address and encourage Joe to find this mini block to right to him. And if you take a closer look, you will be able to see that his name is ice nine j. So please remember this line. We will get into it later on.
The Mini blog also provides us indication to when the attacker started to initiate his attacks. We can see that in September twenty twenty one, he started to document his activity. And we presume that this is about the time he started to act and initiate his attacks.
And now embrace yourself because we are going to unveil the cherry on top. What was most intriguing about this mini blog is when we saw this line, and we understood that the attacker took the trouble to mention us aqua security.
It occurred in December twenty twenty two as a reply to a block we had published a month earlier, and it was an amazing reveal to us as we understood. The attacker is actually reading our blogs And we got really excited to continue and investigate this, malware and get more familiar with the attacker.
Thank you, Mitsam.
So now let's take a look at the technical view of a headcrab down that we know a little bit about it. So what makes headcrub so special?
First of all, headcrub is the first malware that we've seen a customer these commands used as the c two channel. In order to communicate with the malware. And we're gonna delve into that a little bit deeper, in the later slides.
Another thing which is special in headcraft is the high operational security, in a comp a comparison to other threats in the landscape.
At Grub, it really puts an in an effort to try to stay hidden and be operative as long as you can. And that as well. We're gonna see in the next few slides. And at web has over fifty advanced capabilities ranging all the way from downloading file or or running a command all the way to loading the kernel modules in a a kernel module in a file as matter.
So in order to see the attack, in a more structured way, we divide it in the into five phases.
So we're gonna go through all of these phases, the infection, situ channel, defensivasion, persistency, and lateral movement. So the first one we've already seen, this is the infection and this is what Nissan talked about, the slave of or replica of attack, which was revealed in the convention. And this is how we had scrubbed performs this initial infection.
The second phase is the c two channel. As we mentioned, Edgrop uses custom redis commands in order to communicate with the chat with the malware, over the redis protocol. And you can see that in the first screenshot, where we see that it creates commands in the format in the format of RDS and then another character. In order to send commands to the mount. On the bottom bottom sky side of the screen, you can see an example of the RDSR a command being used to communicate with the encrypted manner with the network.
Then we get to the defensive agent phase.
First of all, the malware overrides is default ready commands in order to disguise itself in the system. For example, we can see that it overrides monitor or module commands.
To try to hide the self. If if you're running model list, you'll see all the loaded models, and that would make headcrub appear and you can discover that you're infected. Monitor is a command in redis that is, showing the history of redis commands run on the server.
So that is as well being overwrite overwritten.
What's interesting is that two other commands are being overwritten, which is slavoff and replica, which as you remember was the infection method that the attacker got ahold of the server. So this way, the attacker overrides those commands returning an invalid command specified to disable the opportunity to other attackers to infect that server with their own malware. Basically, Edcro wants to save this server to himself and doesn't want to share it with other attackers.
So let's take a look at the attack graph. Now that we know a little bit more, as we said, the the malware overwrites command and register new custom commands and the attacker sends his commands to the malware through the RDS and another character command.
And the first thing that we see headquarter is doing as we as he mentioned in the mini blog is run a crypto manner. X m ring rig is a common a crypto manner, and it's dropped into memFD, which is a memory backed directory, and then execute it. So what is memFD?
MemberD along with others is a memory backed file system.
This means that the the files that are being saved there are not actually saved into disk. Their run or access directly from memory. So MANFD and dev hashem are two of those. The temp directory is a a disk file system, but is being cleared on boot and often being ignored by these scanning solutions.
The last technique is network buffer, and this is where headcrab receives the payloads from the network communication from the RDSR commands and, actually executes them directly into memory without being saved. And this is also a a technique that Tedcorps deploys in order to avoid these scanning solutions.
Okay. So let's talk a little bit about the operation security.
Let's see how hedge fund managed to say under the radar for over a year.
So first of all, we have a couple of examples. Let's see, the first one.
Shell history hiding is something that head curve is doing whenever he acts it commands on the system. So whenever he execute a shell command, he attaches the hist file equal as an environment variable, basically meaning that the history of of that bash file won't be saved to the history file.
The next technique is low clearing, and that's a technique that we see often, but not in the way that head scrub is doing that.
Edge probe is doing it a little bit differently because other threat actors are simply deleting logs, but that obviously triggers an alert most of the time. So webcribe is doing something pretty smart. Instead of deleting the logs, it translates them to size zero bytes. That means that effectively the operation system clears them out and they are not being deleted.
That would not trigger a normal alert on most systems.
Another thing that we've seen edge scrub is doing, is hiding data in attributes. So as we mentioned, a little bit with the memory back file. Headscript wants to avoid saving files to disk. So in order to save its configuration, he sets an attribute.
To, to find some file in the file system. By that, attaching the configuration to the metadata of the file. So if you're a researcher that's trying to investigate what's happening and see which files were created, you won't be able to see it.
Another cool technique of a head club is lua file loading.
Lua is is a language that allows you tight memory control.
So you can control the structure of the memory.
This allows headcrab, really good control over what he's doing and he's able to load a script directly into the memory without them being saved.
The next method is the dynamic loader.
This is done in order to bypass run time securities.
Security product as well as a white listing solutions.
So what the network is doing is executing, a process through the dynamic loader. Instead of just executing this process, let's say for, for instance, Xemry, is executing the dynamic loader and attaching the path to his desired process as an argument. That's effectively curate process in the name of the dynamic loader, but the content of that process would be our malware.
The next stage is the file timestamping.
Whenever Edgerupt does change files, let's say for configuration files or service files that we're gonna see next on, is modifying their change time back to their original time in order to avoid detecting being detected by security researchers. They try to find change files or new files.
Another cool thing that we've seen Edscrub is doing is is using using the I notify, feature of Linux in order to know if somebody is trying to find it. So I notify is a system or feature that allows you to put, let's say an alert on certain files and get, get an alert whenever somebody is accessing those files.
Edgrop is putting the those alerts on ProK stat and on dev BTS in order to know if somebody's trying to find him. So the ProK stat is used in order to, check if anybody's trying to, let's say, run top or see the process list in order to find a process that consumes a lot of a lot of CPU like Xmbre.
And the dev BTS is used in order to know if somebody logged in using SSH to the machine.
In those cases, headcrub stops his mining activities in order to stay hidden.
The last thing that we've seen in this terms of defense invasion is a a clever persistency planting that Edcorp is doing.
So Edcorp is, inserting configuration into the various configuration file. Stating that he needs to load his own malware whenever the server restarts. This is done with the load model command.
But it's not just adding that to the configuration.
It's adding a lot of spaces before and after in order to, hide this command from the unsuspecting guys of a technician or security researcher.
So for example, you can see in the bottom screenshot. I know that you can't read it, but, it doesn't matter. You can see on the left side of the screen, you have the configuration. And all the way in the right screen, in the right side of the screen, you can see that we have the command, which if you look on with the normal editors like VIM or Nano, you won't be able to see it.
Let's see some of his persistency capabilities, and as Asaf mentioned, the attacker, uses the model auto loading as a persistency technique. The attacker also mentioned that he created a credential stealing service that used with the in this script as a research script, and we will show you the service, on the next slide. So stay tuned.
The attacker also possess lateral movement capabilities.
During our investigation, we came across the server that attacked us. And, we started to investigate it and, in order to find its origin. And we found out that this server belonged to a security company. And we found it a bit odd because why would a security company start to attack other servers in the web? We decided to dig a little bit deeper and we cover that the attacker initially attacked this server, turning it into an attacking server, and then use it in order to attack other apps included.
As you can see, the attacker attack servers worldwide turning them into attacking service using his pivoting and tunneling capabilities and basically create a botnet, which makes it even harder to find its origin.
Let's recap what we have seen by now. So we talked about the infection method, how the attacker abuses this label for replica feature in order to infect our, ready instance. Then we continue to talk about the c two channel detector. It's actually creating custom command that allow him to communicate with the malware and initiate actions on our instance.
Then it show you numerous of, defensive agent technique, and this is the highlight of headquarter. We continue to talk about some persistency technique and last we talk, about the lateral, movement capabilities the attacker possess. What made us wonder, how many release in senses were infected due to this attack and had become, attacking servers.
We started to think of a unique method in order to detect those infection in the ready servers.
And since we know that the attacker, creates custom commands, in order to communicate with the malware. We thought that we will be able to use the common redis command command, which brings all the available commands.
On specific, ready, instance.
And in case those RDS commands will appear in the, in the certain, instance, we will be able to indicate this server as infected.
You can see here an illustration of an infected ready server.
As you can see, we executed a command command, which brings all the available commands on the instance, at the beginning, you could see the default command like slave of and time. And at the end, you can see the RDS custom command, like RDSS, RDSR, etcetera, which indicates that the server was infected.
Using this method, we scan the network in order to find, reds, server that were infected. And we revealed that twelve hundred servers were compromised due to this attack. And you can see that the several are located worldwide. The attacker is not targeting specific country or specific region, which emphasize our assumption that the attacker initiate those attacks for financial gain. During our investigation, some of the servers found belong to different companies, and we informed them that they were attacked.
We showed you some of the attacker's techniques, and now let's get familiar with the attacker Dev. Not long ago, we mentioned that the attacker has left an email address in the mini block. Remember?
We couldn't forget about either, and we decided to write in and test our human's ability. And so, fundamentally, the attacker actually answered us. And on our first conversation with the attacker, the attacker telling us that we were the first one to write to this email address, and we found it a bit odd because we know that the attacker started to attack in September twenty twenty one. And we discover about the attack about I e later. And this, extended timeline emphasizes that we might be the first one to discover about this attack.
So we didn't wanna waste time and they asked him what what his name was. It didn't tell us his full name, of course. But he said that his name was Ice nine. So, of course, we we've seen that, during before. This is what's in his email and other places too. So we try to find out what this, what this name means. And first of all, we stumble across this zone.
So this is IS nine by Joseph Ranny or maybe IS nine j as in the email.
But as we dug a little bit deeper, we found another reference to that, in a blog.
In a in a a week video about, person of interest TV series. In that series, ice nine or ice nine dot x is the world's most lethal virus developed by the department of defense.
That's the virus. My god. I signed.
How did it just global as it stretched into its second day financial markets plunge sending the world's economy into turmoil?
Aware of the ICE nine virus by security experts continues to proliferate as systems across the world are experiencing its effects.
Okay. So as you can imagine, headquarter is not taking over the world just yet, but he's trying to one ready server at a time.
Outages global as it's stretched into its We continue our conversation with the attacker, and we wanted to ask him if he is related to a known attacking group.
And we decided, like Team TNT, for example. And we decided to mention them, and the adapter revealed some interesting information about PingT.
According to him, team TMT uses the same credential for all of your hacked system, and making it easy for him to use this credential stealer tool, in order to take control over those resources. This is a brilliant move by the attacker as he uses the his credential stiller tool in order to, take control over others resources and use it for its own good.
The attacker also mentioning that he developed a new mode that he called semi file less. According to him, he is preventing creating files on disk can only allow it before reboot or when, power off when process ID is equal to one. And this is exactly like getting on a train before it leaves the station. The attacker is able to leave a mark on the compromised machine and able to get in back to it without being discovered.
Dataator also, mentioned that he's not, targeting Redis in particular, but also targeting Postgres, Anginex, SSH and even Docker, which emphasize how widespread the attack is.
Funny or not, but even our attacker follows some, rules and he sent us this set of rules that he follows, And on the first rule, the attacker mentioned that he concerned from the high performance rates on the compromised machine, but he actually just worried that his mining activity will be covered as it increases the performance rates as well. And the second rule, the attacker, mentioned that he's tried to eliminate competitor in order to maintain control of the machine, and that's still by removing, terminate, previous campaigns.
In the third rule, as we mentioned in the technical analysis part, the detector is closing the vector by removing the save off or replica command and by that, assure from, future infection to appear.
By now, we understand that the attacker strive to hide himself and conceal his mining activity. And as we mentioned, he uses I not by in order to do so. So whenever he finds out that if someone connects to that machine, he stops the mining activity, which allow him to conceal himself and type his activity.
Our relationship with the attacker had tightened, and it felt like it was the right time to send us a present. How lucky are we. Right?
And he decided to send us his credentials, still have to along with detailed instruction to on how to use it. And you can see here an example of the, credential stiller tool. Send us a screenshot.
And now as promised, let's introduce you with the service.
Thank you, Nathan.
So now that we've got a present from the from the attacker, it will be rude not to analyze it, of course. So let's take a look of what that service is doing. So for those of you aren't familiar with the half life games. This is g man, a mysterious figure from the game. And this is not a screenshot from the game itself. This is actually screenshot from our debugger connected to the to the service. Whenever the service notices that the the the the behavior was attached to it, it, first of all, dumps this as guard into the debugger and then, kills the debugger.
The service also prevent access to malicious files using the FA notify feature of Linux.
This feature allows a user to register certain paths to control their request. So, for example, he has all of his malicious, files and paths that he uses And if somebody else tries to access them, head cops simply denies them. The service simply denies them.
Then it deploys multiple hooks using multiple methods starting off with bit rates which is really common and easy to block and easy to detect. But is, moving one method at a time, going all the way up to direct and manipulation in order to insert his hooks onto the other services. And he's hooking authentication and connection function on SSHD, FTPPD, MailD, MailD, and also contains some references to SQLD, although we haven't seen it in the version that we investigated.
Another cool thing that the service is doing is it reinject the main hatch rub, redis model into the server. Is doing that by scanning the local host for any ready sports. And if it was found, he connects it and uses the model load in order to load reload the malware to the memory. This, indicates the tight connection between the head crop malware, the radius model and this service as they need to coexist in the same machine. You can also see that they are pretty similar. They are similar in eighty seven percent and eighty four percent in functions.
So that means that they share a lot of code mostly due to that that the service is doing pretty much everything that they had promised always doing as well.
So let's take a look at the our tag graph. I know you two missed it. So now that we know a little bit more about the attack, let's, take a look at it in the graph. We can see that the head prep drops and installs the service. By the way, its name is I nine j, which hooks the other services in order to try to steal credentials.
Then headcrub is using the FA notify in order to block access to any of his files and finally re inject headcrub dot s o.
So this was pretty cool and, we thought but that we were done, but then Several months later.
We found a track with two point o. So of course, the first thing that we're gonna do is take a look at the mini blog. Of course.
So let's see what happened.
We can see that after we published our first blog about the crab, he referenced that and says that he likes the futuristic head crop picture.
He also mentions some information regarding the technical details that we didn't subscribe in the blog. And also, you can ask if you can catch his service. Of course, we can, but we don't need to because he already sent it to us before even writing that message.
Then on March, we can see that these attaching a YouTube video which was really curious to us. And, we were wondering what it was. And, we were surprised when we opened it up, and it was a a weekly CTI video of, Daniel Laurie about our blog about Headcraft. So we can see Headcraft is also interacting with other security researcher regarding his network.
Then on April, we can see that the ad crop is, or ice nine is mentioning that custom commands are gone with the wind as are more so tracey alerts. We're gonna touch on the custom commands in a bit but let's talk a little bit about Tracy alerts. This indicates, as you remember, Tracy is our open source project, runtime security tool, And this indicates that the attacker is specifically testing these tools against our the Tracy, our project, Here is, referencing to our open source signatures.
But, of course, we have a lot of proprietary signatures that is not avoiding as well.
Yes. Some plans for the future in terms of how to try to avoid signatures.
And they also have another reference to Daniel, and they tries to, to explain why he's doing the things that he is doing.
So let's talk a little bit about the radius hooks.
So this is the radius command structure in radius.
And as you can see, has the redis command proc attribute. This is a function pointer to the function that will run the command. So what the Edcribe is doing is replacing that pointer with his own function in order to hook default commands. As you remember, when you overwrite the default command, this is how he's doing that.
As you can see, this is a pretty simple operation of switching the the pointers and saving the original one. Also in the ADCrop two point o, we see that the ADCrop is running the original command if the if the user that's trying to run the command is not a headcrub and is trying to avoid it.
So it talked about the the fact that custom commands are gone with the wind. So how does a grub control this motor?
So he switched it up and we've instead of, creating custom commands, is communicating with the malware with the help of the m get command, which is a default command on Reddit. Is doing so, in the following manner. This is a normal execution of the m git command.
Simply asking for a value to a key and getting that value back.
But when Edscrub talks with it, it seems like something like this. So first of all is is specifying a special string, which is constructed for each instance, a special string.
To identify itself as the attacker.
Then an encryption key is being sent to the attacker and an encryption key are being exchanged following by encryption communication, with the malware. This is done in order to avoid being detected by any IDS solution or signatures.
Okay. So let's get back to our attack graph. This is the last time I promised don't worry. So this attack graph is a little bit different.
If you notice, you can notice that the row server doesn't send, the head scrub now where it sends the loader instead. And this is done in Android two point o o in order to avoid getting headcrub so, saved into the temp directory. So what it is doing is is sending a lower file instead, which is saved. It's a simple and small payload.
It's saved to the temp directory and being loaded in the same manner that we've seen before. But then the head probe so is being sent to that loader, saved to MFD as the the shared over file, and then being loaded into the memory, allowing, the attacker to communicate with it with the m get command after you overwrites the default commands. So we've seen the overriding and then the ambient command being used, of course, to run a crypto miner. It's in the same manner.
Then everything else is as usual, as we've seen, with the SSH stealing service, the reinjection overhead crumb, if you notify and everything else. So if you wanna take a screenshot, this is the full attack of, of Headcrub two point o.
We have that as well in our recent blog post as a gift of all of the the stages of this attack.
So as we mentioned, custom commands are gone with the wind. So how we're gonna find new victims.
We also have a problem that the new version runs the original functions when we try to interact with the, with the ready server. So what do we do? So let's take a look at our, one of the commands that's been hooked and the the new command that they had probably implants.
And if you notice, you can notice that if we try to rewrite or set the dir or DB file name, of the server, we get an instant okay, which is not a regular behavior for ready server. So we had an idea. Let's try to change the deal key to a non existing path and see if which servers return okay and whichever re return an arrow.
So this is how it looks like.
We can see that the clean server returns an error that no such file or directory exist course because we just mentioned some, random hash that we created. And on infected host, we can see that, head scrub returns an okay.
This led us to, the discovery of an another eleven hundred new infected servers worldwide as well as as we seen in the first version, they are scattered all over the world, indicating that at Grub is mostly focused around financial gains and not really, doesn't really care about, politics or jobs.
Okay. So let's conclude this talk and then we're gonna move on to a q and a.
First of all, we can see that, a headcrab or IS nine, it has a deep understanding of Freddie framework work and the how to use it in order to fit in with normal behavior.
We're able to, engage with Reddy's team in order to try to find solution to how those kind of attack can be can be solved in the future.
We also saw how we were able to find issues in the malware in order to detect victims, which is a really powerful technique, and two tips before we end this session is if you're using ready servers, use protected mode. It will save you from headcrub And Tracy and AcOCR can help detect those threats along with other random solutions.
Thank you everybody. If you wanna check out our blogs, those are the links. We also have our social media and the the blog links in the in the QR code, which you can scan, as well as our Twitter and everything else.
Alright. Well, SFF and Nissan. Thank you all so much. We have received one question so far. So I will just give one final call out to anyone who has any questions go ahead and submit those to the q and a. We've got time here to to take a look at them.
So our first question reads Have there been any observed patterns in the industries or geographic regions targeted by headcrab and what implications does this have for affected organizations?
Okay. So, as we've seen, in, in the first version, as well as second version, head club doesn't really care about geography or anything else. It's more focused about the financial gain. So he's trying to get as much money as he can.
And the what implication does it have on the organization?
Headquarters has really unique capabilities, which allow him to pivot inside networks and steal credentials.
So if an organization was, infected with head crop, they should consider, opening an investigation incident response and try to to see where that threat was going. And if he tried or succeeded into hacking or infecting other servers as well.
Alright. And it looks like we have, a question from Joe from John, and they John just asked if we can post some links here. So, I am gonna ask you guys to compile a couple of the links that you've talked about and and potentially send those out to our our registrants after the webinar. That's alright with you guys?
Yeah. For sure. I think we can also publish it now.
Oh, yes. It looks like Joe has started posting some of those links there in the chat.
So John, take a look at the chat. Some of those links are gonna be there.
Perfect. We received another question here from Daryl. How often do you see instruments such as this that indicate origins from the DOD?
Well, we think it was it wasn't really a a virus from from the defense of the Department of Defense. Of course. I think, this was a way of the attacker. Just, simply trying to be funny or using his favorite TV or something like a TV show or something like that to be creative with with the naming of the the malware and itself.
So taking one last look, we got a couple more questions. So let's let's take How do we enforce persistent logging?
Okay. So it depends on why you're logging solution is, with aqua, we have either Tracy, which is the open source solution, which can be used in order to save save logs whenever you want and then maybe upload them somewhere. And then aqua CNDR will save those those attempts and those actions, malicious actions into the database, and you will be able to see them in the in the product itself, in the the screens.
Perfect. We've got another question here. I'll I'll put it up on the screen for us How is the headcrab malware continuing to evolve at both virality and efficacy?
How does it affect detection and remediation?
So we've seen an example to that with the custom commands.
This is a switch that head scrub is done.
We assume after our blog post he probably understood that this is the way that we found, the victims And as we've seen, he tries to make it harder for us to find victims, making our lives harder to to find it itself within the within the system, trying to add more operation security. As we've seen, this is one of the most powerful points of the of the head from an hour. So we predict that this, this side would continue to evolve. And, as always, we're gonna monitor for that and add any malicious behaviors that we've seen, into our CDR and other behavioral detections.
We looks like we've got one final question, and they just ask if you have any predict any predictions for AI, quantum, or really anything else.
And not in the sense of a head crop, I think, but, we do use AI in our work and researching.
Both in our analysis as well as threat research.
And we try to incorporate that into our work in order to become more productive. So this is as well something that we're doing nowadays.
That is the last of our questions. So I did want to give each of you the opportunity to leave us with any final remarks before we officially take things off the air. So Nissan, s SF, anything top of mind.
Thank you for having us. Thank you all for coming, Thank you, Mitan.
Thank you, Scott.
And, we hope that you enjoyed it.
Wonderful. Well, thank you both. We really appreciate you joining us on tech strong learning, and, we we just really appreciate the expertise that you brought to the table today. I know this is a a big topic, and and a lot of people seem to have a lot of interest here in in following headcrab as it expands or, or gets taken down either way.
So I would like to thank both of our speakers today, Nissan and ASSA. I'd like to thank aqua security for sponsoring our program today And to our audience, thank you so much for being here with us. We appreciate your time, and we hope to see you at a future tech strong learning experience Have a great rest of your day, and you may now disconnect.
My name is Cody, and welcome back to Tech Strong Learning.
So today, we are discussing a redis covering headcrab, a technical analysis of a novel malware and the mind behind it. I'm joined today by SF A Tommy senior security researcher at aqua security.
And we're also joined today by Nitsan Yakov, c security data analyst at Aquas security.
So Nitsan and Asaf, thank you so much joining us today. SF, would you like to take it from here and open up the program?
Yes. Of course. Thank you very much. Welcome everybody, and thank you all for joining us in this exciting, webinar. We will demonstrate how headcrub, attack several, hundred servers worldwide. We're gonna take you through a journey of how we discover them our, and how we were able to communicate with the attacker behind the malware and getting additional insights into the attack.
So, first thing first, let's, take a look at what we're gonna do. So we're gonna take a quick look around Redis, quick introduction to understand, what is our playing ground. And then we're gonna tell you the story of headcrab, how we discovered it, and what of this, what is the technical details are in the, following a section about the technical analysis.
Then we're gonna talk about the C2 infrastructure and the victims, that we are able to detect.
And then we're gonna get to the really juicy part where we talk about the attacker conversations, we're able to extract additional insights from the attacker, and we're able to gain another, binary to to analyze. And then the following session is gonna be the following chapter. It's gonna be about that binary, a little bit of technical diving.
And, to finish it off, we're gonna talk about head scrap two point o.
A new thread that we discover, the new version of the thread, which we recently published a blog about.
So a little bit about ourselves. We're part of the Aqua Nautilus, research team.
Aqua is a cloud native security company. Which, focus mostly on Linux operation system due to the nature of cloud native environment.
So most of our research is done on Linux environments.
We're mostly focused around vulnerability research, threat research, malware analysis, and open source tools development.
And let's take a look about ourselves.
So I'm Safaitani, as Cody mentioned, I'm a senior security researcher at aqua security, and I mostly do low level Linux research as well as malware analysis. And in the past, I've done some incident response. And with me is Natanyako.
Hello, everyone. I'm Mitanyako.
And security data analyst at aqua security.
As part of my work, I do track research and data analysis in order to detect new in the wild and investigate them. One of the tools we use that help us find those, attacks is the honey pots.
A honeypot is a common technique in which we use to, trap, attract attackers to, implement our text on our honeypot, which provide us, to find information about various things as you can see, it allows you to detect new methods and tools, used by the attackers, which provide us information, about immediate threats such as Neomower, and it also provides us indication of malicious indicators associated with the with the attackers such as IP addresses, domains, and hashes. It provides us deeper understanding on the threat landscape focusing on attacker's TTPs, which allows us to see the bigger picture.
During our analysis process, we are, using Aquas OpenSource solution Tracy, Tracy, Tracy is a runtime EVPF threat detection engine, which monitors events on the machine.
You can see here an illustration of, honeypot structure. As you can see, there are several application, that may consist certain vulnerability or configuration.
And on each one of them, Tracy is installed.
Tracy is able to record the attack and identify action performed by those stuckers that later on, analyzed by our team.
As you can see, one of the application here is ready. And today, we will focus on ready. So What is Redis?
Redis is a popular database solution. It supports master slave cluster replication, which means that the master slate can transfer data between one another.
In order to decrease security issues, Redis added a new feature called protected mode, which is designed to prevent from rest instances accepting connection from external hosts. But in case this feature is disabled, which mean there is, a misconfiguration in this instance.
Anonymous login is available, and an attacker can gain the ability to execute commands on our instance.
Redis also boost unique capabilities that as ready's models, which extends the server functionality.
We mentioned ready's models, and ready's models are shared object that as we said extends the server functionality by implementing greatest command with feature, which is similar to what can be done inside the core itself.
RedIS model can be loaded into RedIS at start up by using the RedIS configuration file or a runtime by using, RedIS command model load. Once ready's model, is loaded, it considered part of the ready to process itself and has access to all of its resources.
So we took a glimpse about, readies and get familiar with it. And now let's introduce some, security issue that discovered in twenty eighteen, by a security researcher.
He founded a found a technique in which he was able to use the save of or replica of feature. Save of our common commands in Redis. Replicov can be found in newer versions of Redis. And he present this technique in a conference called zero nights. Let's see how it looks like.
As you can see, we have the victim server.
It already server, colored in red.
Okay.
Sorry for that.
The attackers can the network and identified our misconfigured ready server. He connects to it anonymously and gained the ability to execute commands on our ready server. He decided to turn our server into a slave and execute the slave of command and specify the IP address of the master server.
Our ready server become a replica of the master server and start synchronous with it expecting to receive data from it. However, in our scenario, the master server is malicious, and he sends malicious ready, model disguised as a data file. You can see that he sends the shared object head crop. This shared object is saved to the temp directory, and the name of the model corresponds with the time stamp from the synchronization process. We will get into it on the next slide and see how the attacker used this fact. Now the attacker are able to load the model, to the process and uses the model load command, and the headroom malware is now part of the release process and has access to all of its resources.
We saw how the attack works, and now let's take a look of how the attacks look like in the pickup file.
So the attacker initiate the time release command and receives a time check.
Then as we mentioned, the attacker executes this type of attack and receives okay.
Then once again, the attacker executes the time release command and receives the time check after turning our server into a slave. So by now, the attacker receives the time rates that include inside it, the time stamp from the synchronization process.
As we mentioned, the Reddy's Our Master Server is malicious and he sends malicious Reddy's module disguised as a data file.
The, model name corresponds with the time stamp from the synchronization process, and the attacker used the timer and he received earlier in order to brute force its loading. And you can see here number of attempted attacker performed when it tried to guess the correct timestamp. And at the end, only one model successfully loads.
So by now, you attack your game, the ability to execute command on our ready server, and as you can see, he use it, and you can see that he executes the ID command and receives, the answer from our machine.
Getaga was able to load the malware, and now let's get familiar, with the malware. So the special dish of the day is not a roast chicken despite how it might appear.
Head Club is known from the computer game half life for those who know this computer game.
In this game, Headcrub is a monster which attacks humans and turns them to zombies. And this is essentially what the attacker performed on his attack. He targeted our host, infected it with a malware and spread through the network in order to attack others.
You might also wondering why we decided to name them our headquarters, but the truth is we didn't.
During our investigation, we came across this mini block that the attacker had compiled along with the malware. And as you can see at the beginning, he introduced this tool as crub, and that's how we decided about his name.
Did I also mention that, he initiate is a tech in order to, perform, mining activity. So we understand that, the main motivation is financial gain.
The attacker also, leave an email address and encourage Joe to find this mini block to right to him. And if you take a closer look, you will be able to see that his name is ice nine j. So please remember this line. We will get into it later on.
The Mini blog also provides us indication to when the attacker started to initiate his attacks. We can see that in September twenty twenty one, he started to document his activity. And we presume that this is about the time he started to act and initiate his attacks.
And now embrace yourself because we are going to unveil the cherry on top. What was most intriguing about this mini blog is when we saw this line, and we understood that the attacker took the trouble to mention us aqua security.
It occurred in December twenty twenty two as a reply to a block we had published a month earlier, and it was an amazing reveal to us as we understood. The attacker is actually reading our blogs And we got really excited to continue and investigate this, malware and get more familiar with the attacker.
Thank you, Mitsam.
So now let's take a look at the technical view of a headcrab down that we know a little bit about it. So what makes headcrub so special?
First of all, headcrub is the first malware that we've seen a customer these commands used as the c two channel. In order to communicate with the malware. And we're gonna delve into that a little bit deeper, in the later slides.
Another thing which is special in headcraft is the high operational security, in a comp a comparison to other threats in the landscape.
At Grub, it really puts an in an effort to try to stay hidden and be operative as long as you can. And that as well. We're gonna see in the next few slides. And at web has over fifty advanced capabilities ranging all the way from downloading file or or running a command all the way to loading the kernel modules in a a kernel module in a file as matter.
So in order to see the attack, in a more structured way, we divide it in the into five phases.
So we're gonna go through all of these phases, the infection, situ channel, defensivasion, persistency, and lateral movement. So the first one we've already seen, this is the infection and this is what Nissan talked about, the slave of or replica of attack, which was revealed in the convention. And this is how we had scrubbed performs this initial infection.
The second phase is the c two channel. As we mentioned, Edgrop uses custom redis commands in order to communicate with the chat with the malware, over the redis protocol. And you can see that in the first screenshot, where we see that it creates commands in the format in the format of RDS and then another character. In order to send commands to the mount. On the bottom bottom sky side of the screen, you can see an example of the RDSR a command being used to communicate with the encrypted manner with the network.
Then we get to the defensive agent phase.
First of all, the malware overrides is default ready commands in order to disguise itself in the system. For example, we can see that it overrides monitor or module commands.
To try to hide the self. If if you're running model list, you'll see all the loaded models, and that would make headcrub appear and you can discover that you're infected. Monitor is a command in redis that is, showing the history of redis commands run on the server.
So that is as well being overwrite overwritten.
What's interesting is that two other commands are being overwritten, which is slavoff and replica, which as you remember was the infection method that the attacker got ahold of the server. So this way, the attacker overrides those commands returning an invalid command specified to disable the opportunity to other attackers to infect that server with their own malware. Basically, Edcro wants to save this server to himself and doesn't want to share it with other attackers.
So let's take a look at the attack graph. Now that we know a little bit more, as we said, the the malware overwrites command and register new custom commands and the attacker sends his commands to the malware through the RDS and another character command.
And the first thing that we see headquarter is doing as we as he mentioned in the mini blog is run a crypto manner. X m ring rig is a common a crypto manner, and it's dropped into memFD, which is a memory backed directory, and then execute it. So what is memFD?
MemberD along with others is a memory backed file system.
This means that the the files that are being saved there are not actually saved into disk. Their run or access directly from memory. So MANFD and dev hashem are two of those. The temp directory is a a disk file system, but is being cleared on boot and often being ignored by these scanning solutions.
The last technique is network buffer, and this is where headcrab receives the payloads from the network communication from the RDSR commands and, actually executes them directly into memory without being saved. And this is also a a technique that Tedcorps deploys in order to avoid these scanning solutions.
Okay. So let's talk a little bit about the operation security.
Let's see how hedge fund managed to say under the radar for over a year.
So first of all, we have a couple of examples. Let's see, the first one.
Shell history hiding is something that head curve is doing whenever he acts it commands on the system. So whenever he execute a shell command, he attaches the hist file equal as an environment variable, basically meaning that the history of of that bash file won't be saved to the history file.
The next technique is low clearing, and that's a technique that we see often, but not in the way that head scrub is doing that.
Edge probe is doing it a little bit differently because other threat actors are simply deleting logs, but that obviously triggers an alert most of the time. So webcribe is doing something pretty smart. Instead of deleting the logs, it translates them to size zero bytes. That means that effectively the operation system clears them out and they are not being deleted.
That would not trigger a normal alert on most systems.
Another thing that we've seen edge scrub is doing, is hiding data in attributes. So as we mentioned, a little bit with the memory back file. Headscript wants to avoid saving files to disk. So in order to save its configuration, he sets an attribute.
To, to find some file in the file system. By that, attaching the configuration to the metadata of the file. So if you're a researcher that's trying to investigate what's happening and see which files were created, you won't be able to see it.
Another cool technique of a head club is lua file loading.
Lua is is a language that allows you tight memory control.
So you can control the structure of the memory.
This allows headcrab, really good control over what he's doing and he's able to load a script directly into the memory without them being saved.
The next method is the dynamic loader.
This is done in order to bypass run time securities.
Security product as well as a white listing solutions.
So what the network is doing is executing, a process through the dynamic loader. Instead of just executing this process, let's say for, for instance, Xemry, is executing the dynamic loader and attaching the path to his desired process as an argument. That's effectively curate process in the name of the dynamic loader, but the content of that process would be our malware.
The next stage is the file timestamping.
Whenever Edgerupt does change files, let's say for configuration files or service files that we're gonna see next on, is modifying their change time back to their original time in order to avoid detecting being detected by security researchers. They try to find change files or new files.
Another cool thing that we've seen Edscrub is doing is is using using the I notify, feature of Linux in order to know if somebody is trying to find it. So I notify is a system or feature that allows you to put, let's say an alert on certain files and get, get an alert whenever somebody is accessing those files.
Edgrop is putting the those alerts on ProK stat and on dev BTS in order to know if somebody's trying to find him. So the ProK stat is used in order to, check if anybody's trying to, let's say, run top or see the process list in order to find a process that consumes a lot of a lot of CPU like Xmbre.
And the dev BTS is used in order to know if somebody logged in using SSH to the machine.
In those cases, headcrub stops his mining activities in order to stay hidden.
The last thing that we've seen in this terms of defense invasion is a a clever persistency planting that Edcorp is doing.
So Edcorp is, inserting configuration into the various configuration file. Stating that he needs to load his own malware whenever the server restarts. This is done with the load model command.
But it's not just adding that to the configuration.
It's adding a lot of spaces before and after in order to, hide this command from the unsuspecting guys of a technician or security researcher.
So for example, you can see in the bottom screenshot. I know that you can't read it, but, it doesn't matter. You can see on the left side of the screen, you have the configuration. And all the way in the right screen, in the right side of the screen, you can see that we have the command, which if you look on with the normal editors like VIM or Nano, you won't be able to see it.
Let's see some of his persistency capabilities, and as Asaf mentioned, the attacker, uses the model auto loading as a persistency technique. The attacker also mentioned that he created a credential stealing service that used with the in this script as a research script, and we will show you the service, on the next slide. So stay tuned.
The attacker also possess lateral movement capabilities.
During our investigation, we came across the server that attacked us. And, we started to investigate it and, in order to find its origin. And we found out that this server belonged to a security company. And we found it a bit odd because why would a security company start to attack other servers in the web? We decided to dig a little bit deeper and we cover that the attacker initially attacked this server, turning it into an attacking server, and then use it in order to attack other apps included.
As you can see, the attacker attack servers worldwide turning them into attacking service using his pivoting and tunneling capabilities and basically create a botnet, which makes it even harder to find its origin.
Let's recap what we have seen by now. So we talked about the infection method, how the attacker abuses this label for replica feature in order to infect our, ready instance. Then we continue to talk about the c two channel detector. It's actually creating custom command that allow him to communicate with the malware and initiate actions on our instance.
Then it show you numerous of, defensive agent technique, and this is the highlight of headquarter. We continue to talk about some persistency technique and last we talk, about the lateral, movement capabilities the attacker possess. What made us wonder, how many release in senses were infected due to this attack and had become, attacking servers.
We started to think of a unique method in order to detect those infection in the ready servers.
And since we know that the attacker, creates custom commands, in order to communicate with the malware. We thought that we will be able to use the common redis command command, which brings all the available commands.
On specific, ready, instance.
And in case those RDS commands will appear in the, in the certain, instance, we will be able to indicate this server as infected.
You can see here an illustration of an infected ready server.
As you can see, we executed a command command, which brings all the available commands on the instance, at the beginning, you could see the default command like slave of and time. And at the end, you can see the RDS custom command, like RDSS, RDSR, etcetera, which indicates that the server was infected.
Using this method, we scan the network in order to find, reds, server that were infected. And we revealed that twelve hundred servers were compromised due to this attack. And you can see that the several are located worldwide. The attacker is not targeting specific country or specific region, which emphasize our assumption that the attacker initiate those attacks for financial gain. During our investigation, some of the servers found belong to different companies, and we informed them that they were attacked.
We showed you some of the attacker's techniques, and now let's get familiar with the attacker Dev. Not long ago, we mentioned that the attacker has left an email address in the mini block. Remember?
We couldn't forget about either, and we decided to write in and test our human's ability. And so, fundamentally, the attacker actually answered us. And on our first conversation with the attacker, the attacker telling us that we were the first one to write to this email address, and we found it a bit odd because we know that the attacker started to attack in September twenty twenty one. And we discover about the attack about I e later. And this, extended timeline emphasizes that we might be the first one to discover about this attack.
So we didn't wanna waste time and they asked him what what his name was. It didn't tell us his full name, of course. But he said that his name was Ice nine. So, of course, we we've seen that, during before. This is what's in his email and other places too. So we try to find out what this, what this name means. And first of all, we stumble across this zone.
So this is IS nine by Joseph Ranny or maybe IS nine j as in the email.
But as we dug a little bit deeper, we found another reference to that, in a blog.
In a in a a week video about, person of interest TV series. In that series, ice nine or ice nine dot x is the world's most lethal virus developed by the department of defense.
That's the virus. My god. I signed.
How did it just global as it stretched into its second day financial markets plunge sending the world's economy into turmoil?
Aware of the ICE nine virus by security experts continues to proliferate as systems across the world are experiencing its effects.
Okay. So as you can imagine, headquarter is not taking over the world just yet, but he's trying to one ready server at a time.
Outages global as it's stretched into its We continue our conversation with the attacker, and we wanted to ask him if he is related to a known attacking group.
And we decided, like Team TNT, for example. And we decided to mention them, and the adapter revealed some interesting information about PingT.
According to him, team TMT uses the same credential for all of your hacked system, and making it easy for him to use this credential stealer tool, in order to take control over those resources. This is a brilliant move by the attacker as he uses the his credential stiller tool in order to, take control over others resources and use it for its own good.
The attacker also mentioning that he developed a new mode that he called semi file less. According to him, he is preventing creating files on disk can only allow it before reboot or when, power off when process ID is equal to one. And this is exactly like getting on a train before it leaves the station. The attacker is able to leave a mark on the compromised machine and able to get in back to it without being discovered.
Dataator also, mentioned that he's not, targeting Redis in particular, but also targeting Postgres, Anginex, SSH and even Docker, which emphasize how widespread the attack is.
Funny or not, but even our attacker follows some, rules and he sent us this set of rules that he follows, And on the first rule, the attacker mentioned that he concerned from the high performance rates on the compromised machine, but he actually just worried that his mining activity will be covered as it increases the performance rates as well. And the second rule, the attacker, mentioned that he's tried to eliminate competitor in order to maintain control of the machine, and that's still by removing, terminate, previous campaigns.
In the third rule, as we mentioned in the technical analysis part, the detector is closing the vector by removing the save off or replica command and by that, assure from, future infection to appear.
By now, we understand that the attacker strive to hide himself and conceal his mining activity. And as we mentioned, he uses I not by in order to do so. So whenever he finds out that if someone connects to that machine, he stops the mining activity, which allow him to conceal himself and type his activity.
Our relationship with the attacker had tightened, and it felt like it was the right time to send us a present. How lucky are we. Right?
And he decided to send us his credentials, still have to along with detailed instruction to on how to use it. And you can see here an example of the, credential stiller tool. Send us a screenshot.
And now as promised, let's introduce you with the service.
Thank you, Nathan.
So now that we've got a present from the from the attacker, it will be rude not to analyze it, of course. So let's take a look of what that service is doing. So for those of you aren't familiar with the half life games. This is g man, a mysterious figure from the game. And this is not a screenshot from the game itself. This is actually screenshot from our debugger connected to the to the service. Whenever the service notices that the the the the behavior was attached to it, it, first of all, dumps this as guard into the debugger and then, kills the debugger.
The service also prevent access to malicious files using the FA notify feature of Linux.
This feature allows a user to register certain paths to control their request. So, for example, he has all of his malicious, files and paths that he uses And if somebody else tries to access them, head cops simply denies them. The service simply denies them.
Then it deploys multiple hooks using multiple methods starting off with bit rates which is really common and easy to block and easy to detect. But is, moving one method at a time, going all the way up to direct and manipulation in order to insert his hooks onto the other services. And he's hooking authentication and connection function on SSHD, FTPPD, MailD, MailD, and also contains some references to SQLD, although we haven't seen it in the version that we investigated.
Another cool thing that the service is doing is it reinject the main hatch rub, redis model into the server. Is doing that by scanning the local host for any ready sports. And if it was found, he connects it and uses the model load in order to load reload the malware to the memory. This, indicates the tight connection between the head crop malware, the radius model and this service as they need to coexist in the same machine. You can also see that they are pretty similar. They are similar in eighty seven percent and eighty four percent in functions.
So that means that they share a lot of code mostly due to that that the service is doing pretty much everything that they had promised always doing as well.
So let's take a look at the our tag graph. I know you two missed it. So now that we know a little bit more about the attack, let's, take a look at it in the graph. We can see that the head prep drops and installs the service. By the way, its name is I nine j, which hooks the other services in order to try to steal credentials.
Then headcrub is using the FA notify in order to block access to any of his files and finally re inject headcrub dot s o.
So this was pretty cool and, we thought but that we were done, but then Several months later.
We found a track with two point o. So of course, the first thing that we're gonna do is take a look at the mini blog. Of course.
So let's see what happened.
We can see that after we published our first blog about the crab, he referenced that and says that he likes the futuristic head crop picture.
He also mentions some information regarding the technical details that we didn't subscribe in the blog. And also, you can ask if you can catch his service. Of course, we can, but we don't need to because he already sent it to us before even writing that message.
Then on March, we can see that these attaching a YouTube video which was really curious to us. And, we were wondering what it was. And, we were surprised when we opened it up, and it was a a weekly CTI video of, Daniel Laurie about our blog about Headcraft. So we can see Headcraft is also interacting with other security researcher regarding his network.
Then on April, we can see that the ad crop is, or ice nine is mentioning that custom commands are gone with the wind as are more so tracey alerts. We're gonna touch on the custom commands in a bit but let's talk a little bit about Tracy alerts. This indicates, as you remember, Tracy is our open source project, runtime security tool, And this indicates that the attacker is specifically testing these tools against our the Tracy, our project, Here is, referencing to our open source signatures.
But, of course, we have a lot of proprietary signatures that is not avoiding as well.
Yes. Some plans for the future in terms of how to try to avoid signatures.
And they also have another reference to Daniel, and they tries to, to explain why he's doing the things that he is doing.
So let's talk a little bit about the radius hooks.
So this is the radius command structure in radius.
And as you can see, has the redis command proc attribute. This is a function pointer to the function that will run the command. So what the Edcribe is doing is replacing that pointer with his own function in order to hook default commands. As you remember, when you overwrite the default command, this is how he's doing that.
As you can see, this is a pretty simple operation of switching the the pointers and saving the original one. Also in the ADCrop two point o, we see that the ADCrop is running the original command if the if the user that's trying to run the command is not a headcrub and is trying to avoid it.
So it talked about the the fact that custom commands are gone with the wind. So how does a grub control this motor?
So he switched it up and we've instead of, creating custom commands, is communicating with the malware with the help of the m get command, which is a default command on Reddit. Is doing so, in the following manner. This is a normal execution of the m git command.
Simply asking for a value to a key and getting that value back.
But when Edscrub talks with it, it seems like something like this. So first of all is is specifying a special string, which is constructed for each instance, a special string.
To identify itself as the attacker.
Then an encryption key is being sent to the attacker and an encryption key are being exchanged following by encryption communication, with the malware. This is done in order to avoid being detected by any IDS solution or signatures.
Okay. So let's get back to our attack graph. This is the last time I promised don't worry. So this attack graph is a little bit different.
If you notice, you can notice that the row server doesn't send, the head scrub now where it sends the loader instead. And this is done in Android two point o o in order to avoid getting headcrub so, saved into the temp directory. So what it is doing is is sending a lower file instead, which is saved. It's a simple and small payload.
It's saved to the temp directory and being loaded in the same manner that we've seen before. But then the head probe so is being sent to that loader, saved to MFD as the the shared over file, and then being loaded into the memory, allowing, the attacker to communicate with it with the m get command after you overwrites the default commands. So we've seen the overriding and then the ambient command being used, of course, to run a crypto miner. It's in the same manner.
Then everything else is as usual, as we've seen, with the SSH stealing service, the reinjection overhead crumb, if you notify and everything else. So if you wanna take a screenshot, this is the full attack of, of Headcrub two point o.
We have that as well in our recent blog post as a gift of all of the the stages of this attack.
So as we mentioned, custom commands are gone with the wind. So how we're gonna find new victims.
We also have a problem that the new version runs the original functions when we try to interact with the, with the ready server. So what do we do? So let's take a look at our, one of the commands that's been hooked and the the new command that they had probably implants.
And if you notice, you can notice that if we try to rewrite or set the dir or DB file name, of the server, we get an instant okay, which is not a regular behavior for ready server. So we had an idea. Let's try to change the deal key to a non existing path and see if which servers return okay and whichever re return an arrow.
So this is how it looks like.
We can see that the clean server returns an error that no such file or directory exist course because we just mentioned some, random hash that we created. And on infected host, we can see that, head scrub returns an okay.
This led us to, the discovery of an another eleven hundred new infected servers worldwide as well as as we seen in the first version, they are scattered all over the world, indicating that at Grub is mostly focused around financial gains and not really, doesn't really care about, politics or jobs.
Okay. So let's conclude this talk and then we're gonna move on to a q and a.
First of all, we can see that, a headcrab or IS nine, it has a deep understanding of Freddie framework work and the how to use it in order to fit in with normal behavior.
We're able to, engage with Reddy's team in order to try to find solution to how those kind of attack can be can be solved in the future.
We also saw how we were able to find issues in the malware in order to detect victims, which is a really powerful technique, and two tips before we end this session is if you're using ready servers, use protected mode. It will save you from headcrub And Tracy and AcOCR can help detect those threats along with other random solutions.
Thank you everybody. If you wanna check out our blogs, those are the links. We also have our social media and the the blog links in the in the QR code, which you can scan, as well as our Twitter and everything else.
Alright. Well, SFF and Nissan. Thank you all so much. We have received one question so far. So I will just give one final call out to anyone who has any questions go ahead and submit those to the q and a. We've got time here to to take a look at them.
So our first question reads Have there been any observed patterns in the industries or geographic regions targeted by headcrab and what implications does this have for affected organizations?
Okay. So, as we've seen, in, in the first version, as well as second version, head club doesn't really care about geography or anything else. It's more focused about the financial gain. So he's trying to get as much money as he can.
And the what implication does it have on the organization?
Headquarters has really unique capabilities, which allow him to pivot inside networks and steal credentials.
So if an organization was, infected with head crop, they should consider, opening an investigation incident response and try to to see where that threat was going. And if he tried or succeeded into hacking or infecting other servers as well.
Alright. And it looks like we have, a question from Joe from John, and they John just asked if we can post some links here. So, I am gonna ask you guys to compile a couple of the links that you've talked about and and potentially send those out to our our registrants after the webinar. That's alright with you guys?
Yeah. For sure. I think we can also publish it now.
Oh, yes. It looks like Joe has started posting some of those links there in the chat.
So John, take a look at the chat. Some of those links are gonna be there.
Perfect. We received another question here from Daryl. How often do you see instruments such as this that indicate origins from the DOD?
Well, we think it was it wasn't really a a virus from from the defense of the Department of Defense. Of course. I think, this was a way of the attacker. Just, simply trying to be funny or using his favorite TV or something like a TV show or something like that to be creative with with the naming of the the malware and itself.
So taking one last look, we got a couple more questions. So let's let's take How do we enforce persistent logging?
Okay. So it depends on why you're logging solution is, with aqua, we have either Tracy, which is the open source solution, which can be used in order to save save logs whenever you want and then maybe upload them somewhere. And then aqua CNDR will save those those attempts and those actions, malicious actions into the database, and you will be able to see them in the in the product itself, in the the screens.
Perfect. We've got another question here. I'll I'll put it up on the screen for us How is the headcrab malware continuing to evolve at both virality and efficacy?
How does it affect detection and remediation?
So we've seen an example to that with the custom commands.
This is a switch that head scrub is done.
We assume after our blog post he probably understood that this is the way that we found, the victims And as we've seen, he tries to make it harder for us to find victims, making our lives harder to to find it itself within the within the system, trying to add more operation security. As we've seen, this is one of the most powerful points of the of the head from an hour. So we predict that this, this side would continue to evolve. And, as always, we're gonna monitor for that and add any malicious behaviors that we've seen, into our CDR and other behavioral detections.
We looks like we've got one final question, and they just ask if you have any predict any predictions for AI, quantum, or really anything else.
And not in the sense of a head crop, I think, but, we do use AI in our work and researching.
Both in our analysis as well as threat research.
And we try to incorporate that into our work in order to become more productive. So this is as well something that we're doing nowadays.
That is the last of our questions. So I did want to give each of you the opportunity to leave us with any final remarks before we officially take things off the air. So Nissan, s SF, anything top of mind.
Thank you for having us. Thank you all for coming, Thank you, Mitan.
Thank you, Scott.
And, we hope that you enjoyed it.
Wonderful. Well, thank you both. We really appreciate you joining us on tech strong learning, and, we we just really appreciate the expertise that you brought to the table today. I know this is a a big topic, and and a lot of people seem to have a lot of interest here in in following headcrab as it expands or, or gets taken down either way.
So I would like to thank both of our speakers today, Nissan and ASSA. I'd like to thank aqua security for sponsoring our program today And to our audience, thank you so much for being here with us. We appreciate your time, and we hope to see you at a future tech strong learning experience Have a great rest of your day, and you may now disconnect.
Watch Next
