Emerging P2PInfect Botnet MIPS Variant Targets Routers and IoT Devices

December 4, 2023

Cybersecurity researchers have identified a new variant of the emerging P2PInfect botnet, which has the capability of targeting routers and IoT devices. The latest variant, according to Cado Security Labs, is compiled for the Microprocessor without Interlocked Pipelined Stages (MIPS) architecture, thereby extending its reach and potential targets. As security researcher Matt Muir stated in a shared report, "It's highly likely that by targeting MIPS, the P2PInfect developers intend to infect routers and IoT devices with the malware."

The P2PInfect botnet, a malware developed in Rust, was first reported in July 2023. It targets unpatched Redis instances, exploiting a critical Lua sandbox escape vulnerability (CVE-2022-0543, CVSS score: 10.0) for initial access. A subsequent analysis by the cloud security firm in September revealed a significant increase in P2PInfect activity, aligning with the release of iterative variants of the malware.

The new artifacts of this botnet attempt to conduct SSH brute-force attacks on devices integrated with 32-bit MIPS processors. They also incorporate updated evasion and anti-analysis techniques to avoid detection. The brute-force attacks on SSH servers identified during the scanning phase use common username and password pairs found within the ELF binary itself. Both SSH and Redis servers are suspected to be propagation vectors for the MIPS variant, as it's feasible to run a Redis server on MIPS using an OpenWrt package known as redis-server.

Among the evasion techniques used by this botnet is a check to ascertain if it's being analyzed. If it detects this, it will terminate itself. It also attempts to disable Linux core dumps, which are files automatically created by the kernel following an unexpected process crash. The MIPS variant also contains an embedded 64-bit Windows DLL module for Redis that enables the execution of shell commands on a compromised system.

Cado Security Labs noted, "Not only is this an interesting development in that it demonstrates a widening of scope for the developers behind P2PInfect (more supported processor architectures equals more nodes in the botnet itself), but the MIPS32 sample includes some notable defense evasion techniques." This, in combination with the malware's use of Rust (which aids cross-platform development) and the rapid expansion of the botnet, supports previous suggestions that a sophisticated threat actor is behind this campaign.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.