P2PInfect is a newly found type of a developing botnet that can target routers and Internet of Things devices, according to cybersecurity researchers.
The most recent version has been expanded in scope and capabilities by being compiled for Microprocessor without Interlocked Pipelined Stages (MIPS) architecture, according to Cado Security Labs.
According to a report published with The Hacker News by security expert Matt Muir, “it’s highly likely that the P2PInfect developers intend to infect routers and IoT devices with the malware by targeting MIPS.”
According to a report published with The Hacker News by security expert Matt Muir, “it’s highly likely that the P2PInfect developers intend to infect routers and IoT devices with the malware by targeting MIPS.”
First discovered in July 2023, P2PInfect is a Rust-based malware that targets unpatched Redis instances. It gains access by first taking advantage of a major Lua sandbox escape vulnerability (CVE-2022-0543, CVSS score: 10.0).
September saw a spike in P2PInfect activity, which the cloud security company subsequently analyzed. This spike coincided with the malware’s iterative versions being released.
In addition to attempting brute-force SSH attacks on devices integrated with 32-bit MIPS CPUs, the new artefacts include revised evasion and anti-analysis measures to avoid detection.
Common username and password pairs found in the ELF binary itself are used in the brute-force attacks made against SSH servers found during the scanning phase.
Given that Redis servers may be run on MIPS via the Redis-server OpenWrt package, it is hypothesized that both SSH and Redis servers are vectors of propagation for the MIPS variant.
Two noteworthy evasion techniques are an attempt to disable Linux core dumps, which are files routinely generated by the kernel after a process crashes suddenly, and a check to see whether it’s being analyzed and, if so, kill itself.
Additionally, the MIPS version comes with an embedded 64-bit Windows DLL module for Redis, which enables shell commands to be executed on a compromised system.
“Not only is this an interesting development in that it demonstrates a widening of scope for the developers behind P2PInfect (more supported processor architectures equals more nodes in the botnet itself), but the MIPS32 sample includes some notable defence evasion techniques,” Cado stated.
“This, combined with the malware’s utilization of Rust (aiding cross-platform development) and rapid growth of the botnet itself, reinforces previous suggestions that this campaign is being conducted by a sophisticated threat actor.”
