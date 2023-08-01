The peer-to-peer worm (P2PInfect) has been observed using previously undocumented initial access methods to breach vulnerable Redis servers and include them in a botnet.

How this new worm works

“The malware compromises exposed instances of the Redis data store by exploiting the replication function“, they have stated Cado Security researchers Nate Bill and Matt Muir in a report.

“A common attack pattern against Redis in cloud environments is to exploit this feature by using a malicious instance to enable replication. This is accomplished by connecting to an exposed Redis instance and issuing the SLAVEOF command.”

Rust-based malware (the worm, in short) was documented for the first time by Palo Alto Networks Unit 42, highlighting the malware’s ability to exploit a critical Lua sandbox escape vulnerability (CVE-2022-0543, CVSS score: 10.0) to gain a foothold in Redis instances. The campaign is believed to have started on or after June 29, 2023.

However, the latest finding suggests that behind the campaign the bad actors are exploiting multiple initial access exploits.

It is not the first time that the command SLAVE OF is being abused. Previously, cybercriminals associated with malware families such as H2Miner And Head Crab have exploited this technique to illegally mine cryptocurrencies on compromised hosts.

The goal is to replicate a malicious instance and load a malicious module (here’s the worm analogy) to activate the infection.

Another initial access vector is to register a malicious cron job on the Redis host to download malware from a remote server upon execution, a method previously seen in attacks perpetrated by the cryptojacking group WatchDog.

A successful attack is followed by the distribution of next stage payloads which allows the malware to modify the rules of the iptables firewall at will, to upgrade and potentially deploy cryptocurrency miners at a later time once the botnet has reached a specific size.

“The P2Pinfect malware [lo worm] use a peer-to-peer botnet,” the researchers stated. “Each infected server is treated as a node, which connects to other infected servers. This allows the entire botnet to exchange information with each other without using a centralized C2 server.”

A notable feature of the botnet is its propagation behavior, which allows it to scale using a list of passwords to attack SSH servers with a brute force attack and try to exploit the Lua sandbox escape vulnerability or use the SLAVEOF command in the case of Redis servers.

“The P2Pinfect is well designed and uses sophisticated techniques for replication and C2,” concluded the researchers. “Choosing to use Rust also allows for greater portability of code between platforms (with Windows and Linux binaries sharing much of the same code), while also making static code analysis significantly more difficult.”

Because attacks on Linux are more and more frequent

Researchers have pointed out that this worm affects Windows and even Linux-based operating systems, with the “fad” of using Linux distributions for more privacy attacks become more frequent; it simply reads large numbers.

If we add to this that many think that “ah, so I have Linux are safe regardless“, it is clear that the omelette is done; in this case the same code is also shared for a matter of pure practicality on the part of the programmers, trivially.

Remember that it is not necessarily the operating system that saves you from a worm or a virus or from malware in general, the first antivirus must be you.