P2Pinfect Worm Targets Redis Servers with Ransomware and Crypto Miners

June 27, 2024

Cado Security researchers have issued a warning regarding the P2Pinfect worm, which has been seen attacking Redis servers with the aim of deploying ransomware and cryptocurrency mining payloads. Redis servers, which operate on both Linux and Windows systems, are the primary targets of the P2Pinfect worm, making it a significant threat due to its scalability and potency.

In December 2023, Cado Security Labs detected a new variant of the P2Pinfect botnet, which was specifically targeting routers, IoT devices, and other embedded devices. This version was compiled for the Microprocessor without Interlocked Pipelined Stages (MIPS) architecture. This new bot has improved evasion mechanisms, can avoid execution in a Virtual Machine (VM) and a debugger, and supports anti-forensics on Linux hosts.

The P2Pinfect worm, written in the Rust programming language, leverages the Lua sandbox escape vulnerability (CVE-2022-0543) to target Redis instances. The worm's traffic has seen a 600x increase since August 28th, 2023, according to Cado Security Labs. The latest update to P2Pinfect has introduced a ransomware and crypto miner payload, although the malware's primary objective seems to be propagation.

The latest campaign commenced on June 23, as indicated by the TLS certificate used for C2 communications. The malware propagates by exploiting Redis’s replication features, where nodes in a distributed cluster follow a leader/follower topology. Attackers manipulate this feature to have follower nodes load arbitrary modules, which allows them to execute code on these nodes. P2Pinfect uses the SLAVEOF command to convert open Redis nodes into followers of a server under its operators' control. It then writes a shared object (.so) file to the follower and instructs it to load the file, enabling the attacker to send and execute arbitrary commands on the follower nodes.

As per the report published by Cado, “P2Pinfect is a worm, so all infected machines will scan the internet for more servers to infect with the same vector described above. P2Pinfect also features a basic SSH password sprayer, where it will try a few common passwords with a few common users, but the success of this infection vector seems to be a lot less than with Redis, likely as it is oversaturated.”

The main binary of the war has been rewritten using the Tokio async framework for Rust and packed with UPX. The malware's internals have been deeply rewritten, and the binary was stripped and partially obfuscated to make static analysis more challenging. The new P2Pinfect version also receives a command instructing it to download and run the rsagen binary, which is a new ransomware payload.

“The ransomware stores a database of the files it encrypted in a mktmp file with .lockedfiles appended.”, the report continues. P2Pinfect also includes a user-mode rootkit that alters .bashrc files in user home directories by appending export LD_PRELOAD=/home//.lib/libs.so.1. The researchers at Cado believe P2Pinfect might be a botnet for hire that allows its customers to deploy their payloads.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.