Experts warn of a 600X increase in P2Pinfect traffic

The experts warn of a surge in P2PInfect botnet activity since late August 2023, they are witnessing a 600x jump between September 12 and 19, 2023.

In July 2023, Palo Alto Networks Unit 42 researchers discovered a new peer-to-peer (P2P) worm called P2PInfect that targets Redis servers running on both Linux and Windows systems. The capability to target Redis servers running on both Linux and Windows operating systems makes P2PInfect more scalable and potent than other worms. 

The worm is written in the Rust programming language, it targets Redis instances by exploiting the Lua sandbox escape vulnerability CVE-2022-0543 (CVSS score 10.0).

Cado Security Labs researchers reported to have witnessed a 600x increase in P2Pinfect traffic since August 28th. According to the researchers, traffic experienced a 12.3% surge during the week leading up to the publication of their analysis.

P2Pinfect infections have been reported in China, the United States, Germany, the United Kingdom, Singapore, Hong Kong and Japan.

Experts linked the surge in botnet traffic with the growing number of variants detected in the wild, a circumstance that suggests that the authors are actively improving their bot.

“P2Pinfect activity has increased rapidly with 3,619 events observed during the week of the 12th – 19th of September alone – an increase of 60216.7%!” reads the analysis published by Cado Security Labs. “This increase in P2Pinfect traffic has coincided with a growing number of variants seen in the wild, suggesting that the malware’s developers are operating at an extremely high development cadence. In just one week prior to this blog’s publication, Cado researchers identified a 12.3% increase in P2Pinfect activity.”

Below is the attack chain observed by the researchers:

• Malicious node (designated as Initial Access (IA) Sender by Cado researchers) connects to the target and issues the Redis SLAVEOF command to enable replication.
• The attacker delivers a malicious Redis module to the target, allowing arbitrary shell commands to be run.
• The module is used to execute a command to retrieve the primary payload from a designated downloader node (referred to as IA Downloader), before writing it to /tmp and executing it with the encoded list of botnet peers. The researchers pointed out that this command differs slightly from the one observed in Cado’s original analysis.
• The attacker executes another shell command to remove the Redis module from disk and disables replication via the SLAVEOF NO ONE Redis command.

While the original P2Pinfect bot doesn’t support a persistence mechanism, recent samples of P2Pinfect rely on a cron job to launch the malware every 30 minutes.

Recent samples also support another persistence technique that uses the bash payload to keepalive the main payload. 

Recent P2Pinfect samples overwrite existing SSH authorized_keys files with an attacker-controlled SSH key.

The main payload also iterates through all users on the system and attempts to change their user passwords. The malware changes the passwords to a string prefixed by Pa_ and followed by 7 alphanumeric characters (e.g. Pa_13HKlak). The experts noticed that a new password is generated for each build. The malware uses the Linux chpasswd utility to change the passwords likely because the developer expects to obtain root in the target environment.

Despite the growing sophistication of the malware, P2PInfect’s exact goals are unclear. Cado Security said it observed the malware attempting to fetch a crypto miner payload, but there is no evidence of cryptomining to date.

“It’s clear that P2Pinfect’s developers are committed to maintaining and iterating on the functionality of their malicious payloads, while simultaneously scaling the botnet across continents and cloud providers at a rapid rate. Despite this, the primary objective of this malware remains unclear. Recent variants still attempt to retrieve the miner payload described in Cado’s original analysis, yet no evidence of cryptomining has been detected to date.” concludes the report that includes Indicators of Compromise (IoCs). “The miner payload itself hadn’t been updated since the original discovery in late July, yet the botnet agent received multiple updates in this time. It is expected that those behind the botnet are either waiting to implement additional functionality in the miner payload, or are intending to sell access to the botnet to other individuals or groups.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, botnet)