Pierluigi Paganini
June 27, 2024
Cado Security researchers warned that the P2Pinfect worm is employed in attacks against Redis servers, aimed at deploying both ransomware and cryptocurrency mining payloads.
In July 2023, Palo Alto Networks Unit 42 researchers first discovered the P2P worm P2PInfect that targets Redis servers running on both Linux and Windows systems. The capability to target Redis servers running on both Linux and Windows operating systems makes P2PInfect more scalable and potent than other worms.
In December 2023, Cado Security Labs discovered a new variant of the P2Pinfect botnet that targeted routers, IoT devices, and other embedded devices. This variant has been compiled for the Microprocessor without Interlocked Pipelined Stages (MIPS) architecture.
The new bot supports updated evasion mechanisms, can avoid execution in a Virtual Machine (VM) and a debugger and supports anti-forensics on Linux hosts.
The worm is written in the Rust programming language, it targets Redis instances by exploiting the Lua sandbox escape vulnerability CVE-2022-0543 (CVSS score 10.0).
In September 2023, Cado Security Labs reported that it had witnessed a 600x increase in P2Pinfect traffic since August 28th.
Researchers pointed out that the malware ultimately did not seem to have an objective other than to spread, however, a new update to P2Pinfect has introduced a ransomware and crypto miner payload.
The most recent campaign began on June 23, based on the TLS certificate used for C2 communications.
The malware spreads by exploiting Redis’s replication features, where nodes in a distributed cluster follow a leader/follower topology. Attackers abused this feature by making follower nodes load arbitrary modules, enabling code execution on these nodes. P2Pinfect uses the SLAVEOF command to turn open Redis nodes into followers of a server under the control of its operators. It then writes a shared object (.so) file to the follower and instructs it to load the file, allowing the attacker to send and execute arbitrary commands on the follower nodes.
P2Pinfect was also spotted relying on another initial access vector to Redis server by abusing the config commands to write a cron job to the cron directory.
“P2Pinfect is a worm, so all infected machines will scan the internet for more servers to infect with the same vector described above. P2Pinfect also features a basic SSH password sprayer, where it will try a few common passwords with a few common users, but the success of this infection vector seems to be a lot less than with Redis, likely as it is oversaturated.” reads the report published by Cado. “Upon launch it drops an SSH key into the authorised key file for the current user and runs a series of commands to prevent access to the Redis instance apart from IPs belonging to existing connections.”
The main binary of the war appears to have been rewritten, it is now using the Tokio async framework for Rust and packed with UPX. The malware internals have been deeply rewritten, the experts noticed that the binary was stripped and partially obfuscated to make it harder for the static analysis. Previously, P2Pinfect maintained persistence by adding it to .bash_logout and using a cron job, but it no longer employs these methods. Other behaviors, such as the initial setup, remain unchanged.
In recent campaign, the main binary dropped the miner binary to a mktmp file (mktmp creates a file in /tmp with some random characters as the name) and executed it. The miner binary features a built-in configuration, with the monero wallet and pool preconfigured. The miner is only activated after approximately five minutes has elapsed since the main payload was started.
To date, the miner has made approximately £9,660.
The new P2Pinfect version also receives a command instructing it to download and run the rsagen binary, which is a new ransomware payload.
“The ransomware stores a database of the files it encrypted in a mktmp file with .lockedfiles appended.” continues the report.
“As the ransomware runs with the privilege level of its parent, it is likely that it will be running as the Redis user in the wild since the main initial access vector is Redis. In a typical deployment, this user has limited permissions and will only be able to access files saved by Redis. It also should not have sudo privileges, so would not be able to use it for privilege escalation. Redis by default doesn’t save any data to disk and is typically used for in-memory only caching or key value store, so it’s unclear what exactly the ransomware could ransom other than its config files. Redis can be configured to save data to files – but the extension for this is typically rdb, which is not included in the list of extensions that P2Pinfect will ransom.”
The experts explained that it’s unclear why the ransomware was designed in this way.
P2Pinfect also includes a user-mode rootkit that modifies .bashrc files in user home directories by appending export LD_PRELOAD=/home/<user>/.lib/libs.so.1. This causes the libs.so.1 file to be preloaded whenever a linkable executable, like ls or cat, is run.
“Like the ransomware, the usermode rootkit suffers from a fatal flaw; if the initial access is Redis, it is likely that it will only affect the Redis user as the Redis user is only used to run the Redis server and won’t have access to other user’s home directories.” continues the report.
The researchers believe P2Pinfect might be a botnet for hire that allows its customers to deploy their payloads.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)
