In a recent alarming chain of events, P2Pinfect, a rust-based malware, has evolved from a dormant threat into a dangerous adversary by incorporating ransomware and cryptomining capabilities.
This alarming transformation has been tracked and documented by Cado Security, highlighting the escalating threat it poses to Redis servers worldwide.
From Dormancy to Danger
Initially discovered in July 2023, P2Pinfect primarily spread via Redis replication features and a basic SSH password sprayer. Despite its widespread presence, it remained mostly dormant, showing no clear malicious intent. This all changed in December 2023 when a new variant was found targeting 32-bit MIPS processors in routers and IoT devices, signalling a shift in the malware’s operational strategy.
Recent Developments
Starting in mid-May 2024, as per Cado Security’s blog post, P2Pinfect began deploying a ransomware payload alongside an active cryptominer. Upon infection, the ransomware encrypts files with specific extensions related to databases, documents, and media, appending a ‘.encrypted’ extension to these files. The malware also avoids re-encrypting systems by checking for an existing ransom note.
The cryptominer, previously dormant, has now been activated, utilising all available processing power to mine Monero (XMR). This dual attack strategy not only disrupts system operations but also aims to generate financial gains for the attackers. Cado Security’s analysis revealed that the cryptominer had already amassed around $10,000.
The Botnet Mechanism
A key feature of P2Pinfect is its peer-to-peer botnet structure. Each infected machine acts as a node within a large mesh network, facilitating the rapid dissemination of updates and commands across the entire botnet. This resilient and stealthy network architecture allows the malware to evade detection and maintain a strong foothold within compromised systems.
Expert Insights
Patrick Tiquet, Vice President of Security & Architecture at Keeper Security, emphasised the sophistication of P2Pinfect’s development. “The development of P2Pinfect is a typical example of how sophisticated malware develops, often focusing on spreading and establishing a solid foothold within networks during the initial phase, using techniques like exploiting software vulnerabilities or employing password spraying.”
Ken Dunham, Cyber Threat Director at Qualys Threat Research Unit, highlighted the importance of monitoring evolving malware tactics. “It’s essential that cyber threat intelligence (CTI) teams monitor and manage evolving tactics, techniques and procedures (TTPs) of bad actors for attribution, as well as changes in the threatscape and indicators as to where companies should focus to best reduce risk,” said Ken.
“As adversaries focus upon resilience and stealth for survival, its critical organisations are able to gain visibility of threats and able to predict the unknown, with regular audits and assurances coupled with purple teaming operations to the left of boom.”
RELATED TOPICS
- Migo Linux Malware Exploits Redis for Cryptojacking
- Rust-Based Injector Deploys XWorm and Remcos RAT
- Fake Antivirus Sites Spread Malware Disguised as Avast
- Surge in Discord Malware Attacks: 50K Malicious Links Found
- Antidot Android Malware Poses as Google Update to Steal Funds