A new variant of an emerging botnet called P2Pinfect was discovered that is designed to infect devices with 32-bit MIPS (Microprocessor without Interlocked Pipelined Stages) processors like routers and Internet of Things (IoT) devices.
First spotted in July 2023, P2Pinfect is Rust-based malware previously observed targeting vulnerable Redis servers by exploiting a Lua sandbox escape vulnerability (CVE-2022-0543) for initial access.
Researchers at Cado Security Labs said they uncovered the new P2Pinfect malware variant while investigating files uploaded via SFTP and SCP to an SSH honeypot. Unlike earlier samples that primarily leveraged SSH servers for propagation, this variant attempts to brute-force SSH access to embedded devices.
“It’s unclear what use-case running Redis on an embedded MIPS device solves, or whether it’s commonly encountered in the wild. If such a device is compromised by P2Pinfect and has the redis-server package installed, it’s perfectly feasible for that node to then be used to compromise new peers via one of the reported P2Pinfect attack patterns, involving exploitation of Redis or SSH bruteforcing,” the researchers noted.
The new malware variant comes with updated evasion mechanisms, including Virtual Machine (VM) detection methods for embedded payloads, along with debugger detection and anti-forensics on Linux hosts such as the disabling of core dumps on Linux systems.
“P2Pinfect’s continued evolution and broadened targeting are clearly the work of a determined and sophisticated threat actor. The cross-platform targeting and utilisation of a variety of evasion techniques demonstrate an above-average level of sophistication when it comes to malware development. Clearly, this is a botnet that will continue to grow until it’s properly utilised by its operators,” Cado Security Labs said.