The peer-to-peer malware botnet known as P2PInfect has been found targeting misconfigured Redis servers with ransomware and cryptocurrency miners.
The development marks the threat’s transition from what appeared to be a dormant botnet with unclear motives to a financially motivated operation.
“With its latest updates to the crypto miner, ransomware payload, and rootkit elements, it demonstrates the malware author’s continued efforts into profiting off their illicit access and spreading the network further, as it continues to worm across the internet,” Cado Security said in a report published this week.
P2PInfect came to light nearly a year ago, and has since received updates to target MIPS and ARM architectures. Earlier this January, Nozomi Networks uncovered the use of the malware to deliver miner payloads.
It typically spreads by targeting Redis servers and its replication feature to transform the victim systems into a follower node of the attacker-controlled server, subsequently allowing it to issue arbitrary commands to them.
The Rust-based worm also features the ability to scan the internet for more vulnerable servers, not to mention incorporating an SSH password sprayer module that attempts to log in using common passwords.
Besides taking steps to prevent other attackers from targeting the same server, P2PInfect is known to change the passwords of other users, restart the SSH service with root permissions, and even perform privilege escalation.
“As the name suggests, it is a peer-to-peer botnet, where every infected machine acts as a node in the network, and maintains a connection to several other nodes,” security researcher Nate Bill said.
“This results in the botnet forming a huge mesh network, which the malware author makes use of to push out updated binaries across the network, via a gossip mechanism. The author simply needs to notify one peer, and it will inform all its peers and so on until the new binary is fully propagated across the network.”
Among the new behavioral changes to P2PInfect include the use of the malware to drop miner and ransomware payloads, the latter of which is designed to encrypt files matching certain file extensions and deliver a ransom note urging the victims to pay 1 XMR (~$165).
“As this is an untargeted and opportunistic attack, it is likely the victims are to be low value, so having a low price is to be expected,” Bill pointed out.
Also of note is a new usermode rootkit that makes use of the LD_PRELOAD environment variable to hide their malicious processes and files from security tools, a technique also adopted by other cryptojacking groups like TeamTNT.
It’s suspected that P2PInfect is advertised as a botnet-for-hire service, acting as a conduit to deploy other attackers’ payloads in exchange for payment.
This theory is bolstered by the fact that the wallet addresses for the miner and ransomware are different, and that the miner process is configured to take up as much processing power as possible, causing it to interfere with the functioning of the ransomware.
“The choice of a ransomware payload for malware primarily targeting a server that stores ephemeral in-memory data is an odd one, and P2Pinfect will likely see far more profit from their miner than their ransomware due to the limited amount of low-value files it can access due to its permission level,” Bill said.
“The introduction of the usermode rootkit is a ‘good on paper’ addition to the malware. If the initial access is Redis, the usermode rootkit will also be completely ineffective as it can only add the preload for the Redis service account, which other users will likely not log in as.”
The disclosure follows AhnLab Security Intelligence Center’s (ASEC) revelations that vulnerable web servers that have unpatched flaws or are poorly secured are being targeted by suspected Chinese-speaking threat actors to deploy crypto miners.
“Remote control is facilitated through installed web shells and NetCat, and given the installation of proxy tools aimed at RDP access, data exfiltration by the threat actors is a distinct possibility,” ASEC said, highlighting the use of Behinder, China Chopper, Godzilla, BadPotato, cpolar, and RingQ.
It also comes as Fortinet FortiGuard Labs pointed out that botnets such as UNSTABLE, Condi, and Skibidi are abusing legitimate cloud storage and computing services operators to distribute malware payloads and updates to a broad range of devices.
“Using cloud servers for [command-and-control] operations ensures persistent communication with compromised devices, making it harder for defenders to disrupt an attack,” security researchers Cara Lin and Vincent Li said.