BREAKING AT&T Data Breach: ‘Nearly All’ Wireless Customers Exposed in Massive Hack
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

P2Pinfect Worm Now Dropping Ransomware on Redis Servers

The P2Pinfect worm targeting Redis servers has been updated with ransomware and cryptocurrency mining payloads.

P2Pinfect, a peer-to-peer (P2P) worm targeting Redis servers, was recently updated to deploy ransomware and cryptocurrency miners, Cado Security reports.

Written in the Rust programming language, the worm was first spotted in July 2023, spreading to Redis servers impacted by an older Lua sandbox escape bug tracked as CVE-2022-0543 (CVSS score of 10).

On the infected systems, the worm was deploying scripts and scanning tools that allowed it to identify additional vulnerable servers and propagate itself to them.

While P2Pinfect did not appear to have an objective other than spreading to vulnerable Redis servers, a recent update modified its behavior and attacks observed since June 23 revealed the use of ransomware and cryptomining payloads.

Cado Security observed the malware exploiting the replication features in Redis, where a cluster consists of leaders and followers, with the followers being replicas of the leader nodes.

Attackers frequently exploit this setup as it allows them to gain code execution on follower nodes by instructing them to load arbitrary modules.

“P2Pinfect exploits this by using the SLAVEOF command to turn discovered opened Redis nodes into a follower node of the attacker server. It then uses a series of commands to write out a shared object (.so) file, and then instructs the follower to load it. Once this is done, the attacker can send arbitrary commands to the follower for it to execute,” Cado Security explains.

The malware was also seen using a basic SSH password sprayer, executing various commands to prevent other threat actors from accessing the compromised instances, changing passwords for other users, and updating the SSH configuration and restarting the SSH service to enable root login with a password.

Advertisement. Scroll to continue reading.

Unlike the original P2Pinfect malware, the updated iteration was rewritten using Tokio, an async framework for Rust, and features drastically modified internals, Cado says.

On the infected server, the updated malware would drop and execute a Monero miner binary. To date, the threat actor made £9,660 (~ $12,230).

Additionally, P2Pinfect was seen receiving a command to download and execute a ransomware payload. In all observed instances, the download URL and the command JSON are identical, suggesting the command was issued directly by the attacker and that the payload is hosted on a server they control.

When executed, the ransomware first checks whether a ransom note exists and, if it does not, it starts the encryption process. Because Redis does not save data on disk by default, it is unclear what the malware can ransom apart from configuration files.

“After writing out the note, the ransomware iterates through all directories on the file system, and overwrites the contents with an encrypted version. It then appends .encrypted to the end of the file name,” Cado explains.

P2Pinfect also features a usermode rootkit now, which enables the execution of shell commands from other malware binaries without interference. “The rootkit is dynamically generated by the main binary at runtime,” Cado notes.

The cybersecurity firm notes that P2Pinfect may be a botnet-to-hire, due to the use of ransomware, the use of different wallet addresses for the miner and ransomware, and operational interference and differences between the miner and the ransomware.

“The choice of a ransomware payload for malware primarily targeting a server that stores ephemeral in-memory data is an odd one, and P2Pinfect will likely see far more profit from their miner than their ransomware due to the limited amount of low-value files it can access due to its permission level,” Cado concludes.

Related: Threat Actors Quick to Abuse ‘SSH-Snake’ Worm-Like Tool

Related: Redis Servers Targeted With New ‘Migo’ Malware

Related: HeadCrab Botnet Ensnares 1,200 Redis Servers for Cryptomining

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

ICS and OT cybersecurity solutions provider TXOne Networks appoints Stephen Driggers as new CRO

Identity orchestration provider Strata Identity appoints Aldo Pietropaolo as Field CTO

Cybersecurity provider for the aviation industry Cyviation has appointed Eliran Almog as Chief Executive Officer.

More People On The Move

Expert Insights