Cybersecurity researchers have discovered a significant evolution in the previously dormant P2Pinfect malware strain. The updated version can now deploy ransomware and a cryptominer, posing a serious threat to organizations and individuals alike.
P2Pinfect, a malware strain that has been inactive for an extended period, has recently resurfaced with enhanced features.
The Cado Security team has identified that the updated version of P2Pinfect can now deliver ransomware and a cryptominer, expanding its potential for causing harm.
P2Pinfect is a worm that scans the internet to infect more servers. It includes an SSH password sprayer with limited success.
Upon launch, it drops an SSH key, restricts Redis instance access to existing IPs, updates SSH configuration to enable root login, and attempts to change user passwords and escalate privileges using sudo if permitted.
Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free
Sophisticated Peer-to-Peer Botnet
One of the most notable features of P2Pinfect is its sophisticated peer-to-peer (P2P) botnet. Every infected machine acts as a node in the network, maintaining connections to several other nodes.
This mesh network allows the malware author to efficiently push out updated binaries across the entire botnet using a gossip mechanism.
The evolved P2Pinfect malware employs a two-pronged attack strategy. First, it deploys ransomware, encrypting the victim’s files and demanding a ransom payment for the decryption key.
Second, it installs a cryptominer, which secretly mines cryptocurrencies using the infected system’s resources for the attackers’ financial gain.
Initial Access through Redis Exploitation
P2Pinfect primarily spreads by exploiting the replication features in Redis, a popular in-memory data structure store.
By abusing Redis’s leader/follower topology, the malware gains code execution on follower nodes and propagates itself across the network.
Additionally, P2Pinfect utilizes a limited SSH spreader to compromise higher-privilege users.
The combination of ransomware and cryptomining can have severe consequences for affected organizations and individuals.
To protect against the evolved P2Pinfect malware, researchers recommend implementing a multi-layered security approach, including keeping systems updated, employing robust antivirus solutions, regularly backing up data, and educating users about cybersecurity risks.
Organizations and individuals must remain vigilant and proactive in their cybersecurity efforts as the threat landscape evolves. The re-emergence of P2Pinfect reminds us that even dormant malware can resurface with new and dangerous capabilities.
Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan
| main | 4f949750575d7970c20e009da115171d28f1c96b8b6a6e2623580fa8be1753d9 |
| bash | 2c8a37285804151fb727ee0ddc63e4aec54d9460b8b23505557467284f953e4b |
| miner | 8a29238ef597df9c34411e3524109546894b3cca67c2690f63c4fb53a433f4e3 |
| rsagen | 9b74bfec39e2fcd8dd6dda6c02e1f1f8e64c10da2e06b6e09ccbe6234a828acb |
| libs.so.1 | Dynamically generated, no consistent hash |
IPs
| Download server for rsagen | 129[.]144[.]180[.]26:60107 |
| Mining pool IP 1 | 88[.]198[.]117[.]174:19999 |
| Mining pool IP 2 | 159[.]69[.]83[.]232:19999 |
| Mining pool IP 3 | 195[.]201[.]97[.]156:19999 |