A malicious peer-to-peer network known as P2PInfect it was found to target misconfigured Redis servers with ransomware and cryptocurrency miners.
The development marks the transition of the threat from what appeared to be a dormant botnet with unclear motives to a financially motivated operation.
“The latest updates to the cryptominer, ransomware, and rootkit elements demonstrate the malware author’s continued efforts to profit from their illegal access and further spread the network as it continues to spread across the Internet,” Cado Security. said in a report released this week.
P2PInfect appeared almost a year ago and has since received updates for MIPS and ARM architectures. Earlier this January, Nozomi Networks uncovered using malware to deliver miner payloads.
It typically spreads by targeting Redis servers and its replication feature to turn victim systems into slave nodes of the server controlled by the attacker, then allowing the threat actor to issue arbitrary commands to them.
The Rust-based worm also has the ability to scan the Internet for more vulnerable servers, not to mention include an SSH password spraying module that tries to log in using common passwords.
In addition to taking steps to prevent other attackers from attacking the same server, P2PInfect is known to change other users’ passwords, restart the SSH service with root privileges, and even perform privilege escalation.
“As the name suggests, it’s a peer-to-peer botnet where each infected machine acts as a node in the network and maintains connections to several other nodes,” said security researcher Nate Beal.
“This results in the botnet forming a huge mesh network that the malware creator uses to spread updated binaries across the network using a gossip mechanism. The author just needs to notify one peer, and he will notify all of his peers, and so on, until the new binary is fully distributed across the network.”
New changes in P2PInfect’s behavior include the use of malware to remove miner payloads and ransomware, the latter of which is designed to encrypt files matching certain extensions and deliver a ransom note asking victims to pay 1 XMR (~165 dollars).
“Since this is an untargeted and opportunistic attack, the casualties are likely to be low-value, so expect a low price,” Bill noted.
Also worth noting is the new rootkit for custom mode that uses LD_PRELOAD environment variable to hide their malicious processes and files from security tools, a technique also adopted by other hacking groups such as TeamTNT.
P2PInfect is suspected to be advertised as a botnet-for-hire service that acts as a conduit to deploy other attackers’ payloads in exchange for payment.
This theory is supported by the fact that the wallet addresses for the miner and the ransomware are different, and that the miner process is configured to take up as much processing power as possible, thereby preventing the ransomware from functioning.
“The choice of ransomware for malware, mainly targeting a server that stores ephemeral data in memory, is surprising, and P2Pinfect is likely to make much more profit from the miner than from the ransomware, due to a limited number of low-value files. can access because of the permission level,” Bill said.
“Rootkit implementation in user mode is a ‘good on paper’ addition to malware. If the initial access is Redis, a user-mode rootkit will also be completely ineffective, as it can only add a preload for the Redis service account, which other users likely won’t be logged in as.
The disclosure comes after the AhnLab Security and Intelligence Center (ASEC) revealed that vulnerable web servers that have unpatched flaws or are poorly secured are being targeted by suspected Chinese-speaking threat actors to deploy cryptominers.
“Remote management is facilitated by installed web shells and NetCat, and with the installation of proxy tools targeting RDP access, data theft by threat actors is a distinct possibility,” ASEC said. saidhighlighting the use of Behinder, China Chopper, Godzilla, BadPotato, cpolar and The Q ring.
Fortinet FortiGuard Labs also noted that botnets such as UNSTABLE Candiand Skibidi abuse legitimate cloud storage and computing service providers to distribute malware payloads and updates to a wide range of devices.
“Using cloud servers for (command and control) operations ensures constant communication with compromised devices, making it more difficult for defenders to disrupt an attack,” security researchers Cara Lin and Vincent Lee said.
