P2PInfect: an extremely dangerous worm has started up in cloud environments

[CarderPlanet]

The P2PInfect botnet, first discovered by Unit 42 specialists in July 2023, has significantly increased its activity since the end of August and is still running on the network today.

In just the week from September 12 to September 19, 2023, botnet activity increased 600-fold, as reported by researchers from Cado Security, with most of the breaches affecting systems in China, the United States, Germany, Singapore, Hong Kong, the United Kingdom and Japan.

Malware distributed via peer-to-peer disrupts Redis by exploiting a remote code execution vulnerability on Windows and Linux systems connected to the Internet.

According to Cado experts, the activity of P2PInfect is associated with the fact that malware has become more adapted and stable, which makes it possible to increase the distribution landscape.

The latest samples contain a number of additions and improvements, including new features of the cron-based persistence mechanism, using an SSH key to overwrite any authorized SSH keys on the compromised endpoint, and changing the password for any other users on the system if the malware has root access.

Despite the fact that the recently discovered P2PInfect variants tried to install the miner, in fact, no crypto mining activity was observed, but together this may indicate that malware operators continue to experiment with the last stage of the attack.

Given the botnet's current size, active distribution, self-updating features, and rapid expansion over the past month, P2PInfect is a significant threat to consider.

 

[Brother]

Cado Security specialists have discovered a new version of the P2PInfect worm, which previously attacked Redis servers. New variants of P2Pinfect are focused on infecting devices with 32-bit MIPS processors, i.e. routers and IoT devices.

Recall that for the first time P2PInfect was noticed in the summer of this year by experts from Palo Alto Networks Unit 42. Then it was reported that the malware hacks Redis servers that are vulnerable to the CVE-2022-0543 problem, which allows you to escape from the sandbox, as well as execute arbitrary code.

This vulnerability was discovered and fixed back in February 2022, but hackers continued to use it against unpatched systems, as not everyone installs patches on time.

In the fall of this year, Cado Security researchers, who also monitor the botnet, reported that P2PInfect activity has increased 600 times, and attacks are massively occurring in China, the United States, Germany, Singapore, Hong Kong, the United Kingdom and Japan.

Cado Security analysts continued to monitor the malware and now write about a new version of malware, which significantly expanded the list of targets and improved the malware's ability to evade detection.

So, the latest attacks noticed by the company's hanipots were aimed at finding SSH servers that use weak credentials. When malware detects these, it applies brute force and tries to download the MIPS binary file via SFTP and SCP.

At the same time, the distribution of the MIPS version is not limited to SSH: attempts were also noticed to run the Redis server on MIPS devices via an OpenWRT package called redis-server.

A more detailed analysis of the updated version showed that the new P2Pinfect is a 32-bit ELF binary with a built-in 64-bit DLL library, which acts as a loadable module for Redis, allowing you to execute shell commands on the host.

"It is very likely that by targeting MIPS, P2PInfect developers are trying to infect routers and IoT devices with malware," the analysts report.

It is also noted that the new version of P2Pinfect implements more complex and multifaceted detection evasion mechanisms, which significantly complicate the detection and analysis of malware.

It is noteworthy that experts are still not sure what the ultimate goals of P2Pinfect operators are. It is assumed that with the help of this botnet, hackers can engage in cryptocurrency mining, DDoS attacks, traffic proxying, or data theft.