A new and sophisticated malware campaign named “P2Pinfect” has been observed targeting publicly-accessible deployments of the Redis data store.
According to a technical write-up published on Monday by Cado Security Labs, the malware is written in Rust, making it challenging to analyze due to the programming language’s complexities.
For context, in the time between Cado Security encountering P2Pinfect and publishing their article, Unit42 researchers also published a separate analysis of the Windows variant of the malware.
In particular, Cado Security researchers observed that the P2Pinfect malware acts as a botnet agent and exhibits cross-platform compatibility between Windows and Linux.
They found an embedded Portable Executable (PE) and an additional ELF executable in the malware sample, confirming its ability to infect both Windows and Linux systems.
The malware gains initial access to compromised systems by exploiting the replication feature of Redis data stores. Once replication is complete, the malware loads a malicious shared object file, granting reverse shell access and the ability to run arbitrary shell commands on the host.
Furthermore, the malware uses evasion techniques to hinder dynamic analysis, making detection and analysis more challenging.
After gaining a foothold, P2Pinfect demonstrates worm-like behavior, actively attempting to spread to other hosts on the network. It scans for exposed Redis and SSH servers and uses a list of passwords to try brute-force attacks.
The malware also establishes a peer-to-peer botnet, where infected servers act as nodes that connect with other compromised servers. This decentralized approach allows the botnet to gossip with each other without relying on a centralized command-and-control (C2) server.
Cado Security Labs found that the malware can drop and execute additional payloads. However, like Unit42, they did not observe cryptocurrency mining behaviors in the analyzed sample.
“It’s possible that this functionality will be enabled at a later date, and the malware is certainly capable of updating itself to include such functionality,” reads the post.
“This allows the operator to rapidly deploy any payload of their choosing. We will continue to monitor this malware and post updates as they occur.”