P2Pinfect Malware Deploy Ransomware Windows Via SSH


Cybersecurity researchers have discovered a significant evolution in the previously dormant P2Pinfect malware strain. The updated version can now deploy ransomware and a cryptominer, posing a serious threat to organizations and individuals alike.

P2Pinfect, a malware strain that has been inactive for an extended period, has recently resurfaced with enhanced features.

The Cado Security team has identified that the updated version of P2Pinfect can now deliver ransomware and a cryptominer, expanding its potential for causing harm.

P2Pinfect is a worm that scans the internet to infect more servers. It includes an SSH password sprayer with limited success.

Upon launch, it drops an SSH key, restricts Redis instance access to existing IPs, updates SSH configuration to enable root login, and attempts to change user passwords and escalate privileges using sudo if permitted.

P2Pinfect Malware Deploy Ransomware Windows Via SSH
Redis commands used by P2Pinfect for initial access

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

Sophisticated Peer-to-Peer Botnet

One of the most notable features of P2Pinfect is its sophisticated peer-to-peer (P2P) botnet. Every infected machine acts as a node in the network, maintaining connections to several other nodes.

This mesh network allows the malware author to efficiently push out updated binaries across the entire botnet using a gossip mechanism.

The evolved P2Pinfect malware employs a two-pronged attack strategy. First, it deploys ransomware, encrypting the victim’s files and demanding a ransom payment for the decryption key.

Second, it installs a cryptominer, which secretly mines cryptocurrencies using the infected system’s resources for the attackers’ financial gain.

Initial Access through Redis Exploitation

P2Pinfect primarily spreads by exploiting the replication features in Redis, a popular in-memory data structure store.

By abusing Redis’s leader/follower topology, the malware gains code execution on follower nodes and propagates itself across the network.

Additionally, P2Pinfect utilizes a limited SSH spreader to compromise higher-privilege users.

The combination of ransomware and cryptomining can have severe consequences for affected organizations and individuals.

To protect against the evolved P2Pinfect malware, researchers recommend implementing a multi-layered security approach, including keeping systems updated, employing robust antivirus solutions, regularly backing up data, and educating users about cybersecurity risks.

Organizations and individuals must remain vigilant and proactive in their cybersecurity efforts as the threat landscape evolves. The re-emergence of P2Pinfect reminds us that even dormant malware can resurface with new and dangerous capabilities.

Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan

main 4f949750575d7970c20e009da115171d28f1c96b8b6a6e2623580fa8be1753d9
bash 2c8a37285804151fb727ee0ddc63e4aec54d9460b8b23505557467284f953e4b
miner 8a29238ef597df9c34411e3524109546894b3cca67c2690f63c4fb53a433f4e3
rsagen 9b74bfec39e2fcd8dd6dda6c02e1f1f8e64c10da2e06b6e09ccbe6234a828acb
libs.so.1 Dynamically generated, no consistent hash

IPs

Download server for rsagen 129[.]144[.]180[.]26:60107
Mining pool IP 1 88[.]198[.]117[.]174:19999
Mining pool IP 2 159[.]69[.]83[.]232:19999
Mining pool IP 3 195[.]201[.]97[.]156:19999



Source link