Lately, the P2PInfect malware botnet, originating from Rust, has surfaced with a blend of ransomware and crypto mining payloads that target misconfigured Redis servers.
This development illustrates the evolution of the threat, transitioning from a seemingly inactive botnet with unclear goals to one that is financially driven.
A recent report from Cado Security highlighted the advancement, indicating that the malware author has been intensifying efforts to generate profits through illegal access and expanding the network’s reach by incorporating new elements like crypto miners, ransomware payloads, and rootkits.
Discovered nearly a year ago, P2PInfect has received updates to focus on MIPS and ARM architectures. Nozomi Networks uncovered its deployment for mining operations earlier this January.
Propagation typically occurs by exploiting Redis servers and leveraging their replication capabilities to convert targeted systems into follower nodes of the servers controlled by attackers, thus empowering them to execute arbitrary commands on these devices.
The Rust-based worm also possesses functionalities to scout the internet for susceptible servers, alongside integrating an SSH password spraying module for attempting logins with commonly used passwords.
In addition to fortifying the defenses of its server against other potential attackers, P2PInfect is known for resetting user passwords, restarting SSH services with elevated privileges, and executing privilege escalation procedures.
Security researcher Nate Bill described P2PInfect as a peer-to-peer botnet wherein each infected machine acts as a node in the network, maintaining connections with multiple other nodes. This setup facilitates the distribution of updated binaries throughout the network via a gossip mechanism, initiated by notifying a single peer which then disseminates the update to all connected peers in a cascading manner.
Recent enhancements in P2PInfect’s tactics include its utilization for distributing miner and ransomware payloads. The ransomware component encrypts specific file types and prompts victims to pay about 1 XMR (~$165) to regain access to their data.
Bill highlighted that, due to the untargeted and widespread nature of these attacks, the victims are likely low-value targets, hence the relatively low ransom amount. Moreover, a new usermode rootkit has been incorporated, leveraging the LD_PRELOAD environment variable to conceal malicious processes and files from security tools, a tactic similar to that of other cybercriminal groups like TeamTNT.
There are suspicions that P2PInfect is being promoted as a botnet-for-hire service, functioning as a conduit for deploying other attackers’ payloads in exchange for monetary compensation, evidenced by distinct wallet addresses for the miner and ransomware operations. The miner process is deliberately configured to consume maximum processing power, potentially causing disruptions to the ransomware operations.
Bill further noted that opting for a ransomware payload for a malware strain primarily targeting servers containing temporary, in-memory data is a peculiar choice, suggesting that P2Pinfect is likely to derive greater profits from its mining activities due to limitations in accessing low-value files at its permission level.
“The usermode rootkit, in theory, appears to be a beneficial addition to the malware. However, its effectiveness may be curtailed if the initial breach occurs via Redis since the rootkit can only add the preload for the Redis service account, which other users are unlikely to utilize,” Bill added.
The disclosure aligns with revelations from AhnLab Security Intelligence Center (ASEC) indicating that vulnerable web servers, with unpatched vulnerabilities or weak security measures, are under attack by suspected Chinese-speaking threat actors to deploy crypto miners.
ASEC pointed out that threat actors establish remote control using web shells and NetCat tools, accompanied by installing proxy tools to exploit RDP access for possible data exfiltration. Additionally, ASEC highlighted the utilization of various malicious tools such as Behinder, China Chopper, Godzilla, BadPotato, cpolar, and RingQ.
Fortinet FortiGuard Labs emphasized that botnets like UNSTABLE, Condi, and Skibidi are leveraging legitimate cloud storage and computing services to diffuse malware payloads and updates to a broad spectrum of devices.
Security researchers Cara Lin and Vincent Li noted that employing cloud infrastructure for command-and-control purposes ensures sustained communication with compromised devices, complicating defense efforts to thwart these attacks.
About Author
