By focusing on Internet of Things devices, cybersecurity experts at Cado Security Labs have discovered a new variation of the P2PInfect botnet that presents a greater risk.
The most recent version of P2PInfect, which was built for Microprocessor without Interlocked Pipelined Stages (MIPS) architecture, shows that the malware’s capabilities have grown, possibly opening the door for infections to propagate widely.
Targeting MIPS is important because it indicates that P2PInfect coders are intentionally trying to hack routers and other Internet of thing’s devices, as security researcher Matt Muir pointed out.
The Rust-based P2PInfect virus was first made public in July 2023. It became well-known for its ability to penetrate unpatched Redis instances by taking use of a serious Lua sandbox escape vulnerability (CVE-2022-0543, CVSS score: 10.0).
New evasion and anti-analysis techniques are used in the newest artefacts to perform SSH brute-force attacks on machines with 32-bit MIPS processors in order to avoid detection.
Common username and password pairs are used in the brute-force attacks against SSH servers, which are included in the ELF code itself. Given that one may use the Open Wrt package redis -server to run a Redis server on MIPS, it is assumed that both SSH and Redis servers act as vectors of propagation for the MIPS form.
Among the malware’s evasion strategies are attempts to suppress Linux core dumps—files produced by the kernel upon an unusual process crash—and self-termination when analysed. The 64-bit Windows DLL module for Redis is included in the MIPS version, allowing shell scripts to be executed of shell commands on systems under compromise.
Cado Security highlights the importance of these advances, noting that a skilled threat actor is likely involved given the expanding breadth of P2PInfect, complex evasion strategies, and the usage of Rust for cross-platform programming.
