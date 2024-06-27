Peer-to-peer botnet malware known as P2PInfect It was found targeting misconfigured Redis servers with ransomware and cryptocurrency miners.

This development marks the transition of the threat from what It appeared to be a dormant botnet with unclear motives other than a profit-making operation.

P2Pinfect and how it works according to researchers

“With its latest updates to the crypto miner, ransomware payload and rootkit elements, it demonstrates the malware author’s ongoing efforts to profit from their illicit access and to further expand the network as it continues to spread across the Internet“, has declared Cado Security in a report released this week.

P2PInfect emerged almost a year ago and has since received updates to target MIPS and ARM architectures; in early January, Nozomi Networks has discovery the use of malware to deliver miner payloads.

It typically spreads by targeting Redis servers and its replication feature to turn the victim systems into a follower node of the attacker-controlled server, subsequently allowing the attacker to issue arbitrary commands.

The objectives that P2Pinfect targets

The Rust-based worm also features the ability to scan the Internet to find more vulnerable servers, as well as incorporating an SSH password sprayer module that attempts to log in using common passwords.

In addition to taking measures to prevent other attackers from targeting the same server, P2PInfect is known to change other users’ passwords, restart the SSH service with root permissions, and even perform privilege escalation.

“As the name suggests, it is a peer-to-peer botnet, where each infected machine acts as a node in the network and maintains a connection with several other nodes“, said security researcher Nate Bill.

“This results in the formation of a huge mesh network of the botnet, which the malware author exploits to send binary updates across the network, via a gossip mechanism. The author simply needs to notify a peer, and this will inform all its peers and so on until the new binary is fully propagated through the network.”

Among P2PInfect’s new behavioral changes is the use of malware to deliver payload miner and ransomware, the latter designed to encrypt files with certain extensions and deliver a ransom note inviting victims to pay 1 XMR (~$165).

“Since this is an untargeted and opportunistic attack, the victims are likely to be low-value, so a low price is expected“, Bill stressed.

The variable present in the P2PInfect code

Also of note is a new usermode rootkit that uses the environment variable LD_PRELOAD to hide their malicious processes and files from security tools, a technique also adopted by other cryptojacking groups such as TeamTNT.

P2PInfect is suspected to be advertised as a botnet-for-hire service, acting as a conduit to distribute other attackers’ payloads in exchange for payment.

This theory is supported by the fact that the wallet addresses for the miner and the ransomware are different and that the miner process is configured to take up as much processing power as possible, causing interference with the operation of the ransomware.

“Choosing a ransomware payload for malware that primarily targets a server that stores ephemeral data in memory is strange, and P2PInfect will likely see much more profit from their miner than their ransomware due to the limited amount of low-value files it can access due to its permissions level“Bill said.

“The introduction of the usermode rootkit is a ‘good on paper’ addition to the malware. If the initial login is Redis, the usermode rootkit will also be completely ineffective since it can only add preload for the Redis service account, with which other users are likely not to authenticate.”

The P2PInfect botnet also infects clouds

The disclosure follows revelations from the AhnLab Security Intelligence Center (ASEC) that vulnerable web servers with unpatched or poorly protected vulnerabilities are being targeted by suspected Chinese-speaking attackers to distribute cryptocurrency miners.

“Remote control is facilitated via installed web shells and NetCat, and given the installation of proxy tools aimed at RDP access, Data exfiltration by attackers is a real possibility“, has said ASEC, highlighting the use of Behinder, China Chopper, Godzilla, BadPotato, cpolar and RingQ.

This comes as Fortinet FortiGuard Labs has highlighted that botnets such as UNSTABLE, Condi, and Skibidi are abusing legitimate cloud storage and computing services to deliver malware payloads and updates to a wide range of devices.

“Use cloud servers for operations [command-and-control] ensures persistent communication with compromised devices, making it harder for defenders to stop an attack“, said security researchers Cara Lin and Vincent Li.