Cado Security experts warned that the P2Pinfect worm is used in attacks on Redis servers to deliver ransomware and cryptocurrency mining payloads.
Palo Alto Networks Unit 42 researchers uncovered the P2P worm P2PInfect in July 2023, which targets Redis servers running Linux and Windows operating systems. P2PInfect's ability to target Redis servers running on both Linux and Windows operating systems makes it more expandable and dangerous than other worms.
Cado Security Labs identified a new strain of the P2Pinfect botnet in December 2023, specifically targeting routers, IoT devices, and other embedded devices. This variation was built for the Microprocessor without Interlocked Pipelined Stages (MIPS) architecture.
The new bot includes enhanced evasion methods, the ability to evade execution in a Virtual Machine (VM) or a debugger, and anti-forensics support for Linux hosts.
The worm is written in Rust and targets Redis instances using the Lua sandbox escape vulnerability CVE-2022-0543 (CVSS score 10.0). In September 2023, Cado Security Labs detected a 600x spike in P2Pinfect traffic since August 28.
Researchers noted that the malware did not seem to have a goal other than to spread; however, a new upgrade of P2Pinfect has introduced a ransomware and crypto miner payload.
The most recent campaign began on June 23, based on the TLS certificate used for C2 communications. The malware propagates by leveraging Redis's replication features, where nodes in a distributed cluster follow a leader/follower topology.
The attackers exploited this feature by making follower nodes load arbitrary modules, allowing code execution on these nodes. P2Pinfect uses the SLAVEOF command to turn open Redis nodes into followers of a server under the control of its operator.
“P2Pinfect is a worm, so all infected machines will scan the internet for more servers to infect with the same vector described above. P2Pinfect also features a basic SSH password sprayer, where it will try a few common passwords with a few common users, but the success of this infection vector seems to be a lot less than with Redis, likely as it is oversaturated,” Cado researchers stated. “Upon launch it drops an SSH key into the authorised key file for the current user and runs a series of commands to prevent access to the Redis instance apart from IPs belonging to existing connections.”
The war's primary binary appears to have been changed; it is now built with the Tokio async framework for Rust and includes UPX. The malware's internals have been completely unwritten; researchers discovered that the binary had been stripped and partially obfuscated to make static analysis more challenging. Previously, P2Pinfect maintained persistence by adding it to.bash_logout and running a cron job, however these methods are no longer used. Other behaviours, such as the initial setup, are unaffected.