The P2PInfect peer-to-peer (P2) worm has been noticed using beforehand undocumented preliminary entry strategies to breach vulnerable Redis servers and twine them right into a botnet.
“The malware compromises uncovered situations of the Redis information retailer by exploiting the replication characteristic,” Cado Safety researchers Nate Invoice and Matt Muir stated in a report shared with The Hacker Information.
“A typical assault sample towards Redis in cloud environments is to use this characteristic utilizing a malicious occasion to allow replication. That is achieved through connecting to an uncovered Redis occasion and issuing the SLAVEOF command.”
The Rust-based malware was first documented by Palo Alto Networks Unit 42, calling out the malware’s capacity to use a vital Lua sandbox escape vulnerability (CVE-2022-0543, CVSS rating: 10.0) to acquire a foothold into Redis situations. The marketing campaign is believed to have commenced on or after June 29, 2023.
Nonetheless, the most recent discovery means that the risk actors behind the marketing campaign are leveraging a number of exploits for preliminary entry.
This isn’t the primary time the SLAVEOF command has been abused within the wild. Beforehand, risk actors related to malware households comparable to H2Miner and HeadCrab have abused the assault approach to illicitly mine cryptocurrency on compromised hosts.
In doing so, the aim is to duplicate a malicious occasion and cargo a malicious module to activate the an infection.
One other preliminary entry vector entails the registration of a malicious cron job on the Redis host to obtain the malware from a distant server upon execution, a way beforehand noticed in assaults mounted by the WatchDog cryptojacking group.
A profitable breach is adopted by the distribution of next-stage payloads that permit the malware to change iptables firewall guidelines at will, improve itself, and probably deploy cryptocurrency miners at a later date as soon as the botnet has grown to a selected dimension.
Defend In opposition to Insider Threats: Grasp SaaS Safety Posture Administration
Frightened about insider threats? We have got you lined! Be part of this webinar to discover sensible methods and the secrets and techniques of proactive safety with SaaS Safety Posture Administration.
“The P2Pinfect malware makes use of a peer-to-peer botnet,” the researchers stated. “Every contaminated server is handled as a node, which then connects to different contaminated servers. This enables all the botnet to gossip with one another with out utilizing a centralized C2 server.”
A notable trait of the botnet is its worming conduct, enabling it to develop its attain through the use of a listing of passwords to brute-force SSH servers and making an attempt to use the Lua sandbox escape vulnerability or use the SLAVEOF command within the case of Redis servers.
“P2Pinfect is well-designed and makes use of subtle methods for replication and C2,” the researchers concluded. “The selection of utilizing Rust additionally permits for simpler portability of code throughout platforms (with the Home windows and Linux binaries sharing quite a lot of the identical code), whereas additionally making static evaluation of the code considerably tougher.”
