The P2PInfect peer-to-peer (P2) worm has been observed using previously undocumented initial access methods to infiltrate vulnerable Redis servers and tie them into a botnet.
“The malware exploits the replication feature to compromise exposed instances of the Redis data store,” Cado security researchers Nate Bill and Matt Muir said in a report.
“A common attack pattern against Redis in cloud environments is to exploit this feature by using a malicious instance to enable replication. This is achieved through connecting to an exposed Redis instance and issuing the SLAVEOF command.”
The Rust-based malware was first documented by Palo Alto Networks Unit 42, with the malware’s ability to exploit a critical Lua sandbox escape vulnerability (CVE-2022-0543, CVSS score: 10.0) to gain a foothold in Redis instances. The operation is believed to have started on or after June 29, 2023.
However, the latest discovery suggests that the dangerous actors behind the campaign are taking advantage of multiple exploits for early access.
This isn’t the first time the SLAVEOF command has been misused in the wild. In the past, dangerous actors belonging to malware families such as H2Miner and HeadCrab have abused the attack technique to illegally mine cryptocurrencies on compromised hosts.
In doing so, the goal is to replicate a malicious instance and load a malicious module to activate the infection.
Another early access vector involved registering a malicious cron job on the Redis host to download malware from a remote server upon execution, a method previously seen in attacks by the WatchDog cryptojacking group.
A successful breach is followed by the delivery of the next stage payload which allows the malware to change iptables firewall rules at will, upgrade itself and potentially deploy cryptocurrency miners at a later date once the botnet has grown to a specific size.
“The P2Pinfect malware uses a peer-to-peer botnet,” the researchers said. “Each infected server is treated as a node, which then connects to other infected servers. This allows the entire botnet to chat with each other without using a centralized C2 server.”
A notable characteristic of the botnet is its bad behavior, which it can do by using a list of passwords to brute force SSH servers and attempting to exploit the Lua sandbox escape vulnerability, or by using the SLAVEOF command in the case of Redis servers. Enables expansion of reach.
The researchers concluded, “P2Pinfect is well designed and uses sophisticated techniques for replication and C2.” “The choice to use Rust allows easy portability of code across all platforms (Windows and Linux binaries share the same code), while also making static analysis of the code significantly more difficult.”