Using the MIPS architecture opens up new avenues for hackers to launch massive attacks.
Security researchers have discovered a new variation of the P2PInfect botnet in cyberspace. According to the Cado Security lab, this version of the botnet is designed specifically for the MIPS architecture, which gives it the ability to attack routers and Internet of Things (IoT) devices, such as smart kettles, coffee makers, IP cameras, etc. This dramatically expands the capabilities and scope of the botnet.
P2PInfect, based on the Rust programming language, was first discovered in July of this year. It attacks unprotected Redis instances by exploiting a critical Lua language vulnerability (CVE-2022-0543, CVSS score 10.0) for initial access.
Further analysis showed a significant increase in P2PInfect activity in September, which coincided with the release of new malware versions. These new versions, in addition to attempting password-guessing attacks over SSH on devices with 32-bit MIPS processors, include improved evasion techniques and analysis difficulties. Attempts to hack SSH servers were made using common login and password pairs embedded in the ELF binary file.
It is assumed that the SSH and Redis servers are the main distribution vectors of the new P2PInfect variation, since you can run a Redis server on MIPS using the OpenWRT package "redis-server".
One of the methods to avoid the new botnet variation is to self-destruct and attempt to disable Linux kernel dumps if the main malware process is detected or interrupted.
The MIPS variant also includes a built-in 64-bit Windows DLL module for Redis, which allows you to execute shell commands on a compromised system.
Cado Security emphasizes: "This is an interesting development not only in the sense that it demonstrates the expansion of the capabilities of the developers behind P2PInfect, but also in the fact that the MIPS32 sample includes some notable methods of evading protection."
"Combined with the use of Rust and the rapid growth rate of the botnet itself, previous assumptions that this campaign is being conducted by a very sophisticated threat actor are only confirmed," the researchers concluded.
Security researchers have discovered a new variation of the P2PInfect botnet in cyberspace. According to the Cado Security lab, this version of the botnet is designed specifically for the MIPS architecture, which gives it the ability to attack routers and Internet of Things (IoT) devices, such as smart kettles, coffee makers, IP cameras, etc. This dramatically expands the capabilities and scope of the botnet.
P2PInfect, based on the Rust programming language, was first discovered in July of this year. It attacks unprotected Redis instances by exploiting a critical Lua language vulnerability (CVE-2022-0543, CVSS score 10.0) for initial access.
Further analysis showed a significant increase in P2PInfect activity in September, which coincided with the release of new malware versions. These new versions, in addition to attempting password-guessing attacks over SSH on devices with 32-bit MIPS processors, include improved evasion techniques and analysis difficulties. Attempts to hack SSH servers were made using common login and password pairs embedded in the ELF binary file.
It is assumed that the SSH and Redis servers are the main distribution vectors of the new P2PInfect variation, since you can run a Redis server on MIPS using the OpenWRT package "redis-server".
One of the methods to avoid the new botnet variation is to self-destruct and attempt to disable Linux kernel dumps if the main malware process is detected or interrupted.
The MIPS variant also includes a built-in 64-bit Windows DLL module for Redis, which allows you to execute shell commands on a compromised system.
Cado Security emphasizes: "This is an interesting development not only in the sense that it demonstrates the expansion of the capabilities of the developers behind P2PInfect, but also in the fact that the MIPS32 sample includes some notable methods of evading protection."
"Combined with the use of Rust and the rapid growth rate of the botnet itself, previous assumptions that this campaign is being conducted by a very sophisticated threat actor are only confirmed," the researchers concluded.
