Pierluigi Paganini
December 04, 2023
Researchers at Cado Security Labs discovered a new variant of the P2Pinfect botnet that targets routers, IoT devices, and other embedded devices. This variant has been compiled for the Microprocessor without Interlocked Pipelined Stages (MIPS) architecture.
The new bot supports updated evasion mechanisms, can avoid execution in a Virtual Machine (VM) and a debugger and supports anti-forensics on Linux hosts.
In July 2023, Palo Alto Networks Unit 42 researchers first discovered the P2P worm P2PInfect that targets Redis servers running on both Linux and Windows systems. The capability to target Redis servers running on both Linux and Windows operating systems makes P2PInfect more scalable and potent than other worms.
The worm is written in the Rust programming language, it targets Redis instances by exploiting the Lua sandbox escape vulnerability CVE-2022-0543 (CVSS score 10.0).
In September, Cado Security Labs reported to have witnessed a 600x increase in P2Pinfect traffic since August 28th. According to the researchers, traffic experienced a 12.3% surge during the week leading up to the publication of their analysis.
P2Pinfect infections have been reported in China, the United States, Germany, the United Kingdom, Singapore, Hong Kong and Japan.
Experts linked the surge in botnet traffic with the growing number of variants detected in the wild, a circumstance that suggests that the authors are actively improving their bot.
“Cado Security Labs researchers have since encountered a new variant of the malware, specifically targeting embedded devices based on 32-bit MIPS processors, and attempting to bruteforce SSH access to these devices.” reads the report published by Cado Security. “It’s highly likely that by targeting MIPS, the P2Pinfect developers intend to infect routers and IoT devices with the malware. Use of MIPS processors is common for embedded devices and the architecture has been previously targeted by botnet malware, including high-profile families like Mirai, and its variants/derivatives.”
The new bot targets devices embedded with 32-bit MIPS processor. Experts believe that it mainly propagates via SSH bruteforcing or by targeting Redis servers.
The researchers pointed out that routers and other embedded devices use SSH. However, the malware also targets devices running the Redis server on MIPS using an OpenWRT package named redis-server.
“It’s unclear what use-case running Redis on an embedded MIPS device solves, or whether it’s commonly encountered in the wild.” continues the report. “If such a device is compromised by P2Pinfect and has the redis-server package installed, it’s perfectly feasible for that node to then be used to compromise new peers via one of the reported P2Pinfect attack patterns, involving exploitation of Redis or SSH bruteforcing.”
The sample also attempts to disable Linux core dumps to evade detection and prevent forensics investigation.
The MIPS variant incorporates a 64-bit Windows DLL that acts as a loader for Redis, enabling the execution of shell commands on a compromised host through the implementation of system.exec functionality.
“P2Pinfect’s continued evolution and broadened targeting are clearly the work of a determined and sophisticated threat actor. The cross-platform targeting and utilisation of a variety of evasion techniques demonstrate an above-average level of sophistication when it comes to malware development.” concludes the report. “Clearly, this is a botnet that will continue to grow until it’s properly utilised by its operators. “
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, botnet)
