Headline
New P2PInfect Botnet MIPS Variant Targeting Routers and IoT Devices
Cybersecurity researchers have discovered a new variant of an emerging botnet called P2PInfect that’s capable of targeting routers and IoT devices. The latest version, per Cado Security Labs, is compiled for Microprocessor without Interlocked Pipelined Stages (MIPS) architecture, broadening its capabilities and reach. "It’s highly likely that by targeting MIPS, the P2PInfect developers
Cybersecurity researchers have discovered a new variant of an emerging botnet called P2PInfect that’s capable of targeting routers and IoT devices.
The latest version, per Cado Security Labs, is compiled for Microprocessor without Interlocked Pipelined Stages (MIPS) architecture, broadening its capabilities and reach.
“It’s highly likely that by targeting MIPS, the P2PInfect developers intend to infect routers and IoT devices with the malware,” security researcher Matt Muir said in a report shared with The Hacker News.
P2PInfect, a Rust-based malware, was first disclosed back in July 2023, targeting unpatched Redis instances by exploiting a critical Lua sandbox escape vulnerability (CVE-2022-0543, CVSS score: 10.0) for initial access.
UPCOMING WEBINAR
Learn Insider Threat Detection with Application Response Strategies
Discover how application detection, response, and automated behavior modeling can revolutionize your defense against insider threats.
Join Now
A subsequent analysis from the cloud security firm in September revealed a surge in P2PInfect activity, coinciding with the release of iterative variants of the malware.
The new artifacts, besides attempting to conduct SSH brute-force attacks on devices embedded with 32-bit MIPS processors, packs in updated evasion and anti-analysis techniques to fly under the radar.
The brute-force attempts against SSH servers identified during the scanning phase are carried out using common username and password pairs present within the ELF binary itself.
It’s suspected that both SSH and Redis servers are propagation vectors for the MIPS variant owing to the fact that it’s possible to run a Redis server on MIPS using an OpenWrt package known as redis-server.
One of the notable evasion methods used is a check to determine if it’s being analyzed and, if so, terminate itself, as well as an attempt to disable Linux core dumps, which are files automatically generated by the kernel after a process crashes unexpectedly.
The MIPS variant also includes an embedded 64-bit Windows DLL module for Redis that allows for the execution of shell commands on a compromised system.
“Not only is this an interesting development in that it demonstrates a widening of scope for the developers behind P2PInfect (more supported processor architectures equals more nodes in the botnet itself), but the MIPS32 sample includes some notable defense evasion techniques,” Cado said.
“This, combined with the malware’s utilization of Rust (aiding cross-platform development) and rapid growth of the botnet itself, reinforces previous suggestions that this campaign is being conducted by a sophisticated threat actor.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
The P2PInfect peer-to-peer (P2) worm has been observed employing previously undocumented initial access methods to breach susceptible Redis servers and rope them into a botnet. "The malware compromises exposed instances of the Redis data store by exploiting the replication feature," Cado Security researchers Nate Bill and Matt Muir said in a report shared with The Hacker News. "A common attack
By Waqas Known as 'P2PInfect,' the worm exploits a critical vulnerability to infiltrate Redis instances and assimilates them into a larger P2P network, enabling it to spread rapidly. This is a post from HackRead.com Read the original post: P2PInfect: Self-Replicating Worm Hits Redis Instances
Cybersecurity researchers have uncovered a new cloud targeting, peer-to-peer (P2P) worm called P2PInfect that targets vulnerable Redis instances for follow-on exploitation. "P2PInfect exploits Redis servers running on both Linux and Windows Operating Systems making it more scalable and potent than other worms," Palo Alto Networks Unit 42 researchers William Gamazo and Nathaniel Quist said. "This
At least 1,200 Redis database servers worldwide have been corralled into a botnet using an "elusive and severe threat" dubbed HeadCrab since early September 2021. "This advanced threat actor utilizes a state-of-the-art, custom-made malware that is undetectable by agentless and traditional anti-virus solutions to compromise a large number of Redis servers," Aqua security researcher Asaf Eitani
A previously undocumented Go-based malware is targeting Redis servers with the goal of taking control of the infected systems and likely building a botnet network. The attacks involve taking advantage of a critical security vulnerability in the open source, in-memory, key-value store that was disclosed earlier this year to deploy Redigo, according to cloud security firm Aqua.
It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.