Cybersecurity researchers have discovered a new variant of the emerging botnet called P2PInfect that is capable of targeting routers and IoT devices.
According to Cado Security Labs, the latest version is compiled for microprocessors without Interlocked Pipeline Stage (MIPS) architecture, which broadens its capabilities and reach.
“It is highly likely that by targeting MIPS, P2PInfect developers intend to infect routers and IoT devices with malware,” security researcher Matt Muir said in a report.
P2PInfect, a Rust-based malware, first surfaced in July 2023, targeting unpatched Redis instances by exploiting a critical Lua sandbox escape vulnerability for early access (CVE-2022-0543, CVSS score: 10.0) .
A subsequent analysis by the cloud security firm in September revealed an increase in P2P infection activity along with the release of iterative variants of the malware.
The new artifacts incorporate updated evasion and anti-analysis techniques to fly under the radar, in addition to an attempt to conduct SSH brute-force attacks on embedded devices with 32-bit MIPS processors.
Brute-force attempts against SSH servers identified during the scanning phase are performed using common username and password pairs present within the ELF binary.
It is suspected that both SSH and Redis servers are propagation vectors for the MIPS version, due to the fact that it is possible to run a Redis server on MIPS using an OpenWriter package known as redis-server.
One of the notable evasion methods used is a check to determine if it’s being analyzed and, if so, terminate itself, as well as an attempt to disable Linux core dumps, which are files automatically generated by the kernel after a process crashes unexpectedly.
The MIPS version also includes an embedded 64-bit Windows DLL module for Redis that allows execution of shell commands on a compromised system.
Cado said, “Not only is this an interesting development because it reflects an expansion of scope for the developers behind P2PInfect (more supported processor architectures equal more nodes in the botnet), but the MIPS32 sample contains some notable defense evasion techniques.”
“This, combined with the malware’s use of Rust (aiding cross-platform development) and the rapid growth of the botnet, reinforces previous suggestions that this campaign is being conducted by a sophisticated threat actor.”
