The P2PInfect worm, a peer-to-peer (P2P) malware, has been detected using novel initial entry techniques to compromise vulnerable Redis servers and integrate them into a botnet. According to a report by Cado Security researchers Nate Bill and Matt Muir, the malware compromises exposed Redis data store instances by exploiting the replication feature. They explained, "A common attack pattern against Redis in cloud environments is to exploit this feature using a malicious instance to enable replication. This is achieved via connecting to an exposed Redis instance and issuing the SLAVEOF command."
The malware, written in Rust, was initially documented by Palo Alto Networks Unit 42, which highlighted its ability to exploit a critical Lua sandbox escape vulnerability (CVE-2022-0543, CVSS score: 10.0) to gain entry into Redis instances. The campaign is thought to have started on or after June 29, 2023. However, the latest findings indicate that the threat actors behind the campaign are utilizing multiple exploits for initial access.
This is not the first instance of the SLAVEOF command being misused. Threat actors linked to malware families such as H2Miner and HeadCrab have previously used this attack technique to mine cryptocurrency illicitly on compromised hosts. The aim is to replicate a malicious instance and load a malicious module to start the infection. Another initial access method involves registering a malicious cron job on the Redis host to download the malware from a remote server upon execution, a tactic previously seen in attacks conducted by the WatchDog cryptojacking group.
A successful breach leads to the distribution of next-stage payloads that enable the malware to freely modify iptables firewall rules, upgrade itself, and potentially deploy cryptocurrency miners once the botnet has reached a certain size. The researchers noted, "The P2Pinfect malware makes use of a peer-to-peer botnet. Each infected server is treated as a node, which then connects to other infected servers. This allows the entire botnet to gossip with each other without using a centralized C2 server."
A distinctive characteristic of the botnet is its worming behavior, which allows it to extend its reach by using a list of passwords to brute-force SSH servers and attempt to exploit the Lua sandbox escape vulnerability or use the SLAVEOF command in the case of Redis servers. The researchers concluded, "P2Pinfect is well-designed and utilizes sophisticated techniques for replication and C2. The choice of using Rust also allows for easier portability of code across platforms (with the Windows and Linux binaries sharing a lot of the same code), while also making static analysis of the code significantly harder."