The peer-to-peer malware botnet, known as P2PInfect, has been discovered targeting misconfigured Redis servers with ransomware and cryptocurrency miners. This development signals the botnet’s evolution from a seemingly dormant threat with unclear motives to a financially driven operation. “With the latest updates to its crypto miner, ransomware payload, and rootkit elements, the malware author shows a continued effort to profit from their illicit access and expand the network as it continues to spread across the internet,” Cado Security stated in a report published this week. P2PInfect was first identified nearly a year ago and has since received updates to target MIPS and ARM architectures. In January, Nozomi Networks revealed that the malware was being used to deliver miner payloads.
It typically spreads by targeting Redis servers and exploiting their replication feature, turning victim systems into follower nodes of the attacker-controlled server, allowing the threat actor to issue arbitrary commands. The Rust-based worm also has the capability to scan the internet for more vulnerable servers and includes an SSH password sprayer module that attempts to log in using common passwords. Additionally, P2PInfect takes measures to prevent other attackers from targeting the same server. It changes user passwords, restarts the SSH service with root permissions, and performs privilege escalation.
“As its name suggests, it is a peer-to-peer botnet, where each infected machine acts as a node in the network and maintains connections to several other nodes,” security researcher Nate Bill explained. “This creates a vast mesh network that the malware author uses to push out updated binaries across the network via a gossip mechanism. The author only needs to notify one peer, which then informs all its peers until the new binary is fully propagated.”
Recent behavioral changes in P2PInfect include dropping miner and ransomware payloads. The ransomware encrypts files with certain extensions and delivers a ransom note demanding 1 XMR (~$165). “Since this is an untargeted and opportunistic attack, it’s likely that the victims are of low value, hence the low ransom price,” Bill noted. Another notable addition is a new user-mode rootkit that uses the LD_PRELOAD environment variable to hide malicious processes and files from security tools, a technique also used by other cryptojacking groups like TeamTNT. It is suspected that P2PInfect is marketed as a botnet-for-hire service, deploying other attackers’ payloads in exchange for payment.
This theory is supported by the fact that the wallet addresses for the miner and ransomware are different and that the miner process is configured to consume as much processing power as possible, interfering with the ransomware’s functionality. “The choice of ransomware for a server that stores ephemeral in-memory data is unusual. P2PInfect will likely profit more from the miner than the ransomware due to the limited number of low-value files it can access given its permission level,” Bill said. “The introduction of the user-mode rootkit is a ‘good on paper’ addition. If the initial access is Redis, the rootkit will be ineffective as it can only add the preload for the Redis service account, which other users likely will not log in as.”
This disclosure follows AhnLab Security Intelligence Center’s (ASEC) findings that vulnerable web servers with unpatched flaws or poor security are being targeted by suspected Chinese-speaking threat actors to deploy crypto miners. “Remote control is facilitated through installed web shells and NetCat, and the installation of proxy tools aimed at RDP access suggests data exfiltration by the threat actors is a distinct possibility,” ASEC said, highlighting the use of Behinder, China Chopper, Godzilla, BadPotato, cpolar, and RingQ. Additionally, Fortinet FortiGuard Labs noted that botnets like UNSTABLE, Condi, and Skibidi are abusing legitimate cloud storage and computing services to distribute malware payloads and updates to various devices.
“Using cloud servers for command-and-control operations ensures persistent communication with compromised devices, making it harder for defenders to disrupt an attack,” security researchers Cara Lin and Vincent Li stated
![Pinterest](https://pinterest.com/pin/create/button/?url=https://www.cxodigitalpulse.com/rust-based-p2pinfect-botnet-evolves-with-miner-and-ransomware-payloads/&media=https://www.cxodigitalpulse.com/wp-content/uploads/2024/06/feature-3.jpg&description=The peer-to-peer malware botnet, known as P2PInfect, has been discovered targeting misconfigured Redis servers with ransomware and cryptocurrency miners. This development signals the botnet's evolution from a seemingly dormant threat with unclear motives to a financially driven operation. "With the latest updates to its crypto miner, ransomware payload, and rootkit elements, the malware author shows a continued effort to profit from their illicit access and expand the network as it continues to spread across the internet," Cado Security stated in a report published this week. P2PInfect was first identified nearly a year ago and has since received updates to target MIPS and ARM architectures. In January, Nozomi Networks revealed that the malware was being used to deliver miner payloads.){kind=link}