P2Pinfect, a peer-to-peer (P2P) worm targeting Redis servers, was recently updated to deploy ransomware and cryptocurrency miners, Cado Security reports.
Written in the Rust programming language, the worm was first spotted in July 2023, spreading to Redis servers impacted by an older Lua sandbox escape bug tracked as CVE-2022-0543 (CVSS score of 10).
On the infected systems, the worm was deploying scripts and scanning tools that allowed it to identify additional vulnerable servers and propagate itself to them.
While P2Pinfect did not appear to have an objective other than spreading to vulnerable Redis servers, a recent update modified its behavior and attacks observed since June 23 revealed the use of ransomware and cryptomining payloads.
Cado Security observed the malware exploiting the replication features in Redis, where a cluster consists of leaders and followers, with the followers being replicas of the leader nodes.
Attackers frequently exploit this setup as it allows them to gain code execution on follower nodes by instructing them to load arbitrary modules.
“P2Pinfect exploits this by using the SLAVEOF command to turn discovered opened Redis nodes into a follower node of the attacker server. It then uses a series of commands to write out a shared object (.so) file, and then instructs the follower to load it. Once this is done, the attacker can send arbitrary commands to the follower for it to execute,” Cado Security explains.
The malware was also seen using a basic SSH password sprayer, executing various commands to prevent other threat actors from accessing the compromised instances, changing passwords for other users, and updating the SSH configuration and restarting the SSH service to enable root login with a password.
Unlike the original P2Pinfect malware, the updated iteration was rewritten using Tokio, an async framework for Rust, and features drastically modified internals, Cado says.
On the infected server, the updated malware would drop and execute a Monero miner binary. To date, the threat actor made £9,660 (~ $12,230).
Additionally, P2Pinfect was seen receiving a command to download and execute a ransomware payload. In all observed instances, the download URL and the command JSON are identical, suggesting the command was issued directly by the attacker and that the payload is hosted on a server they control.
When executed, the ransomware first checks whether a ransom note exists and, if it does not, it starts the encryption process. Because Redis does not save data on disk by default, it is unclear what the malware can ransom apart from configuration files.
“After writing out the note, the ransomware iterates through all directories on the file system, and overwrites the contents with an encrypted version. It then appends .encrypted to the end of the file name,” Cado explains.
P2Pinfect also features a usermode rootkit now, which enables the execution of shell commands from other malware binaries without interference. “The rootkit is dynamically generated by the main binary at runtime,” Cado notes.
The cybersecurity firm notes that P2Pinfect may be a botnet-to-hire, due to the use of ransomware, the use of different wallet addresses for the miner and ransomware, and operational interference and differences between the miner and the ransomware.
“The choice of a ransomware payload for malware primarily targeting a server that stores ephemeral in-memory data is an odd one, and P2Pinfect will likely see far more profit from their miner than their ransomware due to the limited amount of low-value files it can access due to its permission level,” Cado concludes.
Related: Threat Actors Quick to Abuse ‘SSH-Snake’ Worm-Like Tool
Related: Redis Servers Targeted With New ‘Migo’ Malware
Related: HeadCrab Botnet Ensnares 1,200 Redis Servers for Cryptomining
