New report details evolution of P2Pinfect into ransomware & miner
Cado Security has issued a new report detailing a significant evolution in the P2Pinfect malware. The report highlights that the previously dormant worm has evolved to include a ransomware and crypto-miner payload. The rise of P2Pinfect continues to demonstrate the malware authors' consistent efforts to exploit illicit access and further distribute their malware across various servers.
Upon its discovery, P2Pinfect primarily appeared to spread without causing significant harm. "Upon initial discovery, the malware appeared mostly dormant. It would spread primarily via Redis and a limited SSH spreader, but ultimately did not seem to have an objective other than to spread," stated Cado Security. However, the malware has undergone significant updates, making it substantially more malicious.
P2Pinfect employs the replication features in Redis, a distributed cluster database, to exploit vulnerabilities and spread rapidly. The malware utilises the SLAVEOF command to redirect follower nodes to the attacker's server, allowing them to execute arbitrary commands. The execution of these commands efficiently converts the nodes into agents for further spreading the malware. Another Redis vector utilised involves manipulating configuration commands to insert a cron job aimed at enhancing persistence and spread.
Notably, P2Pinfect also attempts to exploit SSH by employing a basic password sprayer technique. However, this vector has seen less success compared to the Redis exploitation, likely due to oversaturation. Upon gaining access, the malware ensures that the infected server is safeguarded from other attackers by updating SSH configurations and commands to limit access.
One of P2Pinfect's significant features is its peer-to-peer (P2P) botnet structure. Every infected machine acts as a node in the network, maintaining connections to several other nodes and forming a vast mesh network. This architecture facilitates the rapid propagation of updates across the botnet through a gossip protocol, where a single notification can result in a cascade of updates throughout the network.
The main binary of P2Pinfect has undergone a rewrite and is now entirely written with the async framework for Rust, tokio, and packed with UPX. Despite this update, the payload's core behaviours, such as persistence mechanisms, largely remain unchanged. This evolution also includes the addition of a secondary binary, '/tmp/bash', which performs periodic health checks on the main binary to ensure its continuous operation.
The newly integrated crypto-miner payload leverages the botnet for unauthorised cryptocurrency mining activities. The miner targets Monero and is activated approximately five minutes post-infection, demonstrating a preconfigured mining configuration. The attacker's Monero wallet has accumulated around 71 XMR, equivalent to roughly GBP £9,660.
The ransomware component is executed upon receiving specific commands within the botnet. The payload, named 'rsagen', encrypts files by appending a '.encrypted' extension and creates a ransom note instructing victims on how to pay for decryption. The use of Monero as a form of payment obfuscates tracking of financial gains from this component. The ransom note includes contact details for payment confirmation. Still, it lacks clarity on what specific data the ransomware targets on Redis-driven environments, which traditionally store ephemeral data rather than critical files.
Cado Security also reports a new user-mode rootkit feature within P2Pinfect. The rootkit manipulates the environment to hide specific processes related to the malware, obfuscating its presence on infected systems. This is achieved through tampering with typical system commands, and hijacking method calls to conceal the malware's execution traces. However, this rootkit has limitations, particularly if the malware primarily infects Redis users with restricted permissions.
Speculations have arisen regarding the possibility of P2Pinfect being a "botnet for hire" due to its flexibility in deploying various payloads. This suggests other attackers could use it to distribute distinctive malware components on demand. While evidence supports and refutes this theory, Cado Security remains cautious in concluding the exact nature and operational motives behind P2Pinfect.