Pierluigi Paganini
July 20, 2023
Palo Alto Networks Unit 42 researchers have discovered a new peer-to-peer (P2P) worm called P2PInfect that targets Redis servers running on both Linux and Windows systems. The capability to target Redis servers running on both Linux and Windows operating systems makes P2PInfect more scalable and potent than other worms.
The worm is written in the Rust programming language, it targets Redis instances by exploiting the Lua sandbox escape vulnerability CVE-2022-0543 (CVSS score 10.0).
This CVE-2022-0543 vulnerability has been used in previous attacks aimed at Redis servers carried out tby by the Muhstik and Redigo botnets.
The malware exploits CVE-2022-0543 for initial access, then drops an initial payload that establishes P2P communication to the P2P network.
The researchers identified over 307,000 unique public Redis systems over the last two weeks, of which 934 may be vulnerable to this worm.
At this time it is still unclear the goal of the threat actors behind the botnet. Experts discovered some instances of the word “miner” within the malicious toolkit of P2PInfect. However, Unit 42 did not find any definitive evidence that the botnet was involved in cryptomining operations.
Once the worm has connected to the P2P network, it downloads additional malicious payloads. Threat actors will use the infected instance to provide access to the other payloads to future compromised Redis servers
“Unit 42 discovered the first known instance of P2PInfect on July 11, 2023, using our HoneyCloud environment, which is a set of honeypots that we use to identify and study novel cloud-based attacks across public cloud environments.” reads the report published by Palo Alto Networks Unit 42. “The P2PInfect worm uses a P2P network to support and facilitate the transmission of malicious binaries.”
The malware uses a PowerShell script to establish and maintain communication with the P2P network. The PowerShell script uses the following encode command to obfuscate the communication initiation:
“The P2PInfect worm appears to be well designed with several modern development choices. Key among these is the use of the Rust language, which provides resilient capabilities and the flexibility to allow the worm to rapidly spread across multiple operating systems.” concludes the experts. “The design and building of a P2P network to perform the auto-propagation of malware is not something commonly seen within the cloud targeting or cryptojacking threat landscape. At the same time, we believe it was purpose-built to compromise and support as many Redis vulnerable instances as possible across multiple platforms.”
Organizations are recommended to monitor all Redis applications, both on-premises and within cloud environments, to ensure they do not contain random filenames within the /tmp directory.
I contacted Redis to receive for a comment on this campaign, below is their reply:
“As the world’s most popular in-memory database, it’s no surprise that Redis installations are frequently the target of threat actors, and we are glad to see cybersecurity researchers actively working to find these bad actors. We’ve previously seen other malware created to take advantage of CVE-2022-0543, a vulnerability created by how certain versions of Debian Linux package the Lua engine for open source Redis. Redis Enterprise software bundles a hardened version of the Lua module which is not susceptible to this vulnerability. As such, customers running Redis Enterprise licensed software are not at risk from CVE-2022-0543 and P2PInfect. Users of open source Redis are encouraged to use official distributions available directly from redis.io”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, P2PInfect)
