Malware designed to brute force Secure Shell (SSH) access to embedded Internet of Things (IoT) devices with 32-bit MIPS processors has been seen to target these devices using a new variation of P2Pinfect.
The P2Pinfect malware, which is written in Rust, connects infected systems in a peer-to-peer topology by acting as a botnet agent. The malware initially gained access to early samples by exploiting Redis servers, which is a comparatively typical strategy in cloud environments, as reported by SC Media on September 20.
In a blog post on Monday, Cado Security Labs explained the attack and stated that it’s very possible that the P2Pinfect developers want to infect routers and Internet of Things devices with the virus by going after MIPS. The researchers clarified that botnet malware, including well-known families like Mirai and its variations, has previously targeted the architecture of MIPS processors, which are frequently used in embedded IoT devices.
According to Cado Security’s threat intelligence lead, Matt Muir, the targeting of MIPS indicates that the threat actors behind P2Pinfect are starting to target more than just generic servers. Muir emphasized that the group discovered that an Open Wrt open source router project allows the Redis server to be operated on MIPS devices firmware undertaking.
“We believe that compromised MIPS devices are being used to propagate the malware to a wider range of targets, resulting in a more powerful botnet overall,” Muir said. “Open Wrt also supports MIPS processors.” It’s also important to remember that MIPS systems have been successfully targeted by earlier well-known botnet families, such as Mirai and its offshoots.
The recent discovery of a new P2Pinfect variant that targets MIPS machines, particularly IoT devices, according to Anurag Gurtu, CPO at Strike Ready, suggests a change in the malware developers’ strategy. Gurtu concurred with Muir that the fact that MIPS processors are widely used in IoT devices is probably the reason why hackers are currently taking advantage of these vulnerabilities.
According to Gurtu, “this action indicates the developers’ intention to expand their botnet by infecting a broader range of devices.” The actors behind P2Pinfect appear to be highly skilled and determined to build a resilient, difficult-to-detect botnet, based on the sophistication of the malware as demonstrated by sophisticated evasion techniques like VM and debugger detection, anti-forensics on Linux hosts, and the use of Rust for cross-platform development. This rise in targeting and improved evasion strategies suggests a deliberate attempt to boost the impact and resilience of the botnet while confounding security researchers’ attempts at mitigation and analysis.”
The focus shifting from Redis servers to embedded IoT devices, according to Emily Phelps, Director at Cyware, “suggests a strategic evolution.” According to Phelps, a growing number of attackers are taking advantage of the extensive, frequently inadequately secured network of Internet of Things (IoT) devices. This is partially because IoT devices are widely used in everyday applications and essential infrastructure, making them an attractive target for unwanted activity “The new P2Pinfect variant’s updated evasion mechanisms indicate a more calculated approach, potentially aimed at building a resilient botnet or establishing sustained control over infected devices,” Phelps added. “These strategies may also indicate that the attackers are highly aware and adaptive, foreseeing and thwarting cybersecurity measures.”
According to Andrew Barratt, vice president of Coalfire , if the P2Pinfect malware manages to infiltrate a number of widely used IoT devices, there’s a good chance that it will establish its own network among the devices, rendering it extremely difficult to eradicate entirely. It also provides a variety of options for persistence and command and control with devices that are normally inaccessible by XDR technology.
Barratt pointed out that it’s also feasible that these features are a component of the malware’s demonstration of power, increasing its marketability to threat actors aiming at various industry sectors.
