Cybersecurity researchers have uncovered a new cloud targeting, peer-to-peer (P2P) worm called P2PInfect that targets vulnerable Redis instances for follow-on exploitation.
“P2PInfect exploits Redis servers running on both Linux and Windows Operating Systems making it more scalable and potent than other worms,” Palo Alto Networks Unit 42 researchers William Gamazo and Nathaniel Quist said. “This worm is also written in Rust, a highly scalable and cloud-friendly programming language.”
It’s estimated that as many as 934 unique Redis systems may be vulnerable to the threat. The first known instance of P2PInfect was detected on July 11, 2023.
A notable characteristic of the worm is its ability to infects vulnerable Redis instances by exploiting a critical Lua sandbox escape vulnerability, CVE-2022-0543 (CVSS score: 10.0), which has been previously exploited to deliver multiple malware families such as Muhstik, Redigo, and HeadCrab over the past year.
The initial access afforded by a successful exploitation is then leveraged to deliver a dropper payload that establishes peer-to-peer (P2P) communication to a larger P2P network and fetch additional malicious binaries, including scanning software for propagating the malware to other exposed Redis and SSH hosts.
“The infected instance then joins the P2P network to provide access to the other payloads to future compromised Redis instances,” the researchers said.
The malware also utilizes a PowerShell script to establish and maintain communication between the compromised host and the P2P network, offering threat actors persistent access. What’s more, the Windows flavor of P2PInfect incorporates a Monitor component to self-update and launch the new version.
It’s not immediately known what the end goal of the campaign is, with Unit 42 noting that there is no definitive evidence of cryptojacking despite the presence of the word “miner” in the toolkit’s source code.
Shield Against Insider Threats: Master SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.
The activity has not been attributed to any known threat actor groups notorious for striking cloud environments like Adept Libra (aka TeamTNT), Aged Libra (aka Rocke), Automated Libra (aka PURPLEURCHIN), Money Libra (aka Kinsing), Returned Libra (aka 8220 Gang), or Thief Libra (aka WatchDog).
The development comes as misconfigured and vulnerable cloud assets are being discovered within minutes by bad actors constantly scanning the internet to mount sophisticated attacks.
“The P2PInfect worm appears to be well designed with several modern development choices,” the researchers said. “The design and building of a P2P network to perform the auto-propagation of malware is not something commonly seen within the cloud targeting or cryptojacking threat landscape.”
