Cybersecurity analysts are sounding the alarm as a new peer-to-peer (P2) worm, named P2PInfect, exhibits a series of previously unreported tactics to infiltrate vulnerable Redis servers and conscript them into a formidable botnet.
According to researchers at Cado Security, the worm is making use of an undisclosed set of initial access methods to compromise Redis data stores, primarily exploiting the replication feature.
The malware targets exposed Redis instances by manipulating the replication functionality. By connecting to the exposed Redis instance and issuing the SLAVEOF command, Threat Actors can pave the way for replication and subsequent infiltration.
In its preliminary exposure, Palo Alto Networks Unit 42 revealed that the Rust-based P2PInfect malware takes advantage of a critical Lua sandbox escape vulnerability (CVE-2022-0543, CVSS score: 10.0) to gain an initial foothold into Redis instances. The campaign is believed to have commenced sometime after June 29, 2023.
However, the latest intelligence gathered indicates that the threat actors orchestrating the campaign have diversified their arsenal of exploits to gain entry. The notorious SLAVEOF command has not escaped their attention. In the past, similar attack techniques involving SLAVEOF have been employed by malicious entities, including H2Miner and HeadCrab, to mine cryptocurrency on compromised hosts.
Another avenue exploited for initial access involves the deployment of a malicious cron job on the Redis host. Upon execution, this job fetches the malware from a remote server, reminiscent of previous attacks conducted by the WatchDog cryptojacking group.
Once a successful breach occurs, the P2PInfect malware proceeds to unleash subsequent payloads, allowing threat actors to manipulate iptables firewall rules, self-upgrade, and potentially deploy cryptocurrency miners at a later stage, once the botnet has reached a specific magnitude.
The P2PInfect botnet exhibits a distinctive worming behavior. Each infected server behaves as a node, establishing connections with other infected servers, enabling peer-to-peer communication without reliance on a centralized command-and-control (C2) server.
To further enhance its stealth and resilience, P2PInfect’s creators chose the Rust programming language, allowing for easier code portability across different platforms. Additionally, the utilization of Rust complicates static code analysis, presenting a formidable challenge to security experts trying to dissect the malware.
Despite meticulous investigations, the identity of the threat actors spearheading the P2PInfect campaign remains shrouded in mystery, and their true intentions for this malicious endeavor continue to elude researchers. The indicators do not align with any known cryptojacking groups, leaving cybersecurity professionals puzzled about the ultimate goal of this insidious operation.
In closing, experts have issued a stern warning, affirming that P2PInfect boasts sophisticated techniques for replication and C2, showcasing its well-orchestrated design. The use of Rust, as an ingenious choice, enhances the malware’s portability while significantly heightening the challenge of code analysis. Redis server administrators are urged to remain vigilant and take necessary precautions to safeguard against this emerging threat.
