Malware

Experts warn of a 600X increase in P2Pinfect traffic

The experts warn of a surge in P2PInfect botnet activity since late August 2023, they are witnessing a 600x jump between September 12 and 19, 2023.

In July 2023, Palo Alto Networks Unit 42 researchers discovered a new peer-to-peer (P2P) worm called P2PInfect that targets Redis servers running on both Linux and Windows systems. The capability to target Redis servers running on both Linux and Windows operating systems makes P2PInfect more scalable and potent than other worms. 

The worm is written in the Rust programming language, it targets Redis instances by exploiting the Lua sandbox escape vulnerability CVE-2022-0543 (CVSS score 10.0).

Cado Security Labs researchers reported to have witnessed a 600x increase in P2Pinfect traffic since August 28th. According to the researchers, traffic experienced a 12.3% surge during the week leading up to the publication of their analysis.

P2Pinfect infections have been reported in China, the United States, Germany, the United Kingdom, Singapore, Hong Kong and Japan.

Experts linked the surge in botnet traffic with the growing number of variants detected in the wild, a circumstance that suggests that the authors are actively improving their bot.

“P2Pinfect activity has increased rapidly with 3,619 events observed during the week of the 12th – 19th of September alone – an increase of 60216.7%!” reads the analysis published by Cado Security Labs. “This increase in P2Pinfect traffic has coincided with a growing number of variants seen in the wild, suggesting that the malware’s developers are operating at an extremely high development cadence. In just one week prior to this blog’s publication, Cado researchers identified a 12.3% increase in P2Pinfect activity.”

Below is the attack chain observed by the researchers:

  • Malicious node (designated as Initial Access (IA) Sender by Cado researchers) connects to the target and issues the Redis SLAVEOF command to enable replication.
  • The attacker delivers a malicious Redis module to the target, allowing arbitrary shell commands to be run.
  • The module is used to execute a command to retrieve the primary payload from a designated downloader node (referred to as IA Downloader), before writing it to /tmp and executing it with the encoded list of botnet peers. The researchers pointed out that this command differs slightly from the one observed in Cado’s original analysis.
  • The attacker executes another shell command to remove the Redis module from disk and disables replication via the SLAVEOF NO ONE Redis command.

While the original P2Pinfect bot doesn’t support a persistence mechanism, recent samples of P2Pinfect rely on a cron job to launch the malware every 30 minutes.

Recent samples also support another persistence technique that uses the bash payload to keepalive the main payload. 

Recent P2Pinfect samples overwrite existing SSH authorized_keys files with an attacker-controlled SSH key.

The main payload also iterates through all users on the system and attempts to change their user passwords. The malware changes the passwords to a string prefixed by Pa_ and followed by 7 alphanumeric characters (e.g. Pa_13HKlak). The experts noticed that a new password is generated for each build. The malware uses the Linux chpasswd utility to change the passwords likely because the developer expects to obtain root in the target environment.

Despite the growing sophistication of the malware, P2PInfect’s exact goals are unclear. Cado Security said it observed the malware attempting to fetch a crypto miner payload, but there is no evidence of cryptomining to date.

“It’s clear that P2Pinfect’s developers are committed to maintaining and iterating on the functionality of their malicious payloads, while simultaneously scaling the botnet across continents and cloud providers at a rapid rate. Despite this, the primary objective of this malware remains unclear. Recent variants still attempt to retrieve the miner payload described in Cado’s original analysis, yet no evidence of cryptomining has been detected to date.” concludes the report that includes Indicators of Compromise (IoCs). “The miner payload itself hadn’t been updated since the original discovery in late July, yet the botnet agent received multiple updates in this time. It is expected that those behind the botnet are either waiting to implement additional functionality in the miner payload, or are intending to sell access to the botnet to other individuals or groups.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, botnet)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

U.S. CISA adds Ivanti CSA and Fortinet bugs to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Ivanti CSA and Fortinet bugs to its…

3 hours ago

Mozilla issued an urgent Firefox update to fix an actively exploited flaw

Mozilla released an urgent Firefox update to fix a critical use-after-free vulnerability actively exploited in…

7 hours ago

Palo Alto fixed critical flaws in PAN-OS firewalls that allow for full compromise of the devices

Palo Alto fixed critical flaws in PAN-OS firewalls, warning that attackers could chain these vulnerabilities…

9 hours ago

Cybercriminals Are Targeting AI Conversational Platforms

Resecurity reports a rise in attacks on AI Conversational platforms, targeting chatbots that use NLP…

21 hours ago

Awaken Likho APT group targets Russian government with a new implant

A threat actor tracked as Awaken Likho is targeting Russian government agencies and industrial entities,…

1 day ago

U.S. CISA adds Windows and Qualcomm bugs to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Windows and Qualcomm bugs to its Known…

1 day ago

This website uses cookies.