Experts discovered a previously undocumented initial access vector used by P2PInfect worm

Cado Security observed a new variant of the P2PInfect worm targets Redis servers with a previously undocumented initial access vector.

In July, Palo Alto Networks Unit 42 researchers discovered a new peer-to-peer (P2P) worm called P2PInfect that targets Redis servers running on both Linux and Windows systems. The capability to target Redis servers running on both Linux and Windows operating systems makes P2PInfect more scalable and potent than other worms. 

The worm is written in the Rust programming language, it targets Redis instances by exploiting the Lua sandbox escape vulnerability CVE-2022-0543 (CVSS score 10.0).

This CVE-2022-0543 vulnerability has been used in previous attacks aimed at Redis servers carried out tby by the Muhstik and Redigo botnets.

The malware exploits CVE-2022-0543 for initial access, then drops an initial payload that establishes P2P communication to the P2P network.

The researchers identified over 307,000 unique public Redis systems over the last two weeks, of which 934 may be vulnerable to this worm.

At this time it is still unclear the goal of the threat actors behind the botnet. 

Now Cado Security researchers reported the discovery of a new variant of the P2PInfect worm targeting Redis servers with a previously undocumented initial access vector.

This variant exploiting the replication feature to compromises exposed instances of the Redis data store. Replication allows instances of Redis to be run in a distributed architecture, aka leader/follower topology. A follower node can act as exact replicas of the leader, this feature provides high availability and failover for the data store. 

“A common attack pattern against Redis in cloud environments is to exploit this feature using a malicious instance to enable replication. This is achieved via connecting to an exposed Redis instance and issuing the SLAVEOF command. Once replication is complete, the attacker can load a malicious module (a Linux shared object file) which extends the functionality of Redis itself.” reads the analysis published by Cado Security.

The researchers also observed P2Pinfect attempting to compromise the Redis host via the Cron unauthenticated RCE mechanism.

Once compromised a server, the attackers deliver the next-stage payloads that allow the malware to carry out malicious activities, such as modifying iptables firewall rules.

The P2Pinfect exhibits a worming behavior, the binary reads the bash_history, ssh config, and known hosts files to gather a list of users, IPs, and SSH keys, then it uses this information to attempt to infect other instances.

The bot will randomly choose a /16 network prefix to conduct scans for potentially exposed SSH and Redis servers. It will also use a list of passwords to carry out brute force attacks on any servers it encounters.

“The sample encountered by Cado researchers had similar functionality as the Windows variant analysed by Unit42. Despite this, the initial access method differed and Cado researchers did not find any evidence to suggest the malware specifically targeted cloud environments. From the information gleaned during analysis, P2Pinfect would likely run on most Linux hosts regardless of whether they were cloud-hosted or on-premise.” concludes Cado Security Labs. “Cado Security Labs concur with Unit42 findings on the subject of the miner payload.”

The report includes Indicators of Compromise (IoCs) and Yara rules for binary detection.

Follow me on Twitter: @securityaffairs Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

EvilVideo, a Telegram Android zero-day allowed sending malicious APKs disguised as videos

EvilVideo is a zero-day in the Telegram App for Android that allowed attackers to send…

5 hours ago

SocGholish malware used to spread AsyncRAT malware

The JavaScript downloader SocGholish (aka FakeUpdates) is being used to deliver the AsyncRAT and the…

15 hours ago

UK police arrested a 17-year-old linked to the Scattered Spider gang

Law enforcement arrested a 17-year-old boy from Walsall, U.K., for suspected involvement in the Scattered…

20 hours ago

Security Affairs Malware Newsletter – Round 3

Security Affairs Malware newsletter includes a collection of the best articles and research on malware…

2 days ago

Security Affairs newsletter Round 481 by Pierluigi Paganini – INTERNATIONAL EDITION

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles…

2 days ago

U.S. CISA adds Adobe Commerce and Magento, SolarWinds Serv-U, and VMware vCenter Server bugs to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Adobe Commerce and Magento, SolarWinds Serv-U, and…

2 days ago

This website uses cookies.