P2Pinfect Malware Targets Both Windows and Linux Redis Servers
A novel and highly sophisticated malware campaign dubbed "P2Pinfect" has recently emerged, targeting publicly-accessible deployments of the Redis data store. Cado Security Labs revealed that the malware is coded in the Rust programming language, introducing complexities that make it difficult to analyze.
To provide context, it's worth noting that prior to Cado Security's analysis of P2Pinfect, Unit42 researchers had already conducted a separate examination of the Windows variant of the same malware.
The researchers at Cado Security found that the P2Pinfect malware functions as a botnet agent and possesses the unique ability to operate seamlessly on both Windows and Linux platforms. They identified an embedded Portable Executable (PE) and an additional ELF executable in the malware sample, confirming its capability to infect systems running on both operating systems.
P2Pinfect's Mode of Operation
The malware initiates its intrusion into compromised systems by exploiting the replication feature of Redis data stores. Once replication is achieved, the malware proceeds to load a malicious shared object file, granting it reverse shell access and the power to execute arbitrary shell commands on the host.
To evade detection and analysis, the malware employs sophisticated evasion techniques, making its identification more challenging.
Upon establishing a foothold, P2Pinfect exhibits worm-like behavior by actively attempting to propagate itself to other hosts within the network. It actively scans for exposed Redis and SSH servers, using a list of passwords to launch brute-force attacks.
Additionally, the malware sets up a decentralized peer-to-peer botnet, where infected servers act as nodes that connect with other compromised servers. This approach enables the botnet to communicate with each other without relying on a centralized command-and-control (C2) server.
Cado Security Labs also discovered that the malware has the capability to drop and execute additional payloads. However, similar to Unit42's findings, they did not observe any cryptocurrency mining activities in the analyzed sample.
The experts noted that the malware's architecture allows its operator to rapidly deploy any payload of their choosing. They pledged to continue monitoring P2Pinfect and provide updates as new developments occur.