The peer-to-peer (P2) worm often called P2PInfect has witnessed a surge in exercise since late August 2023, witnessing a 600x leap between September 12 and 19, 2023.
“This improve in P2PInfect site visitors has coincided with a rising variety of variants seen within the wild, suggesting that the malware’s builders are working at a particularly excessive growth cadence,” Cado Safety researcher Matt Muir stated in a report printed Wednesday.
A majority of the compromises have been reported in China, the U.S., Germany, the U.Okay., Singapore, Hong Kong, and Japan.
P2PInfect first got here to mild in July 2023 for its skill to breach poorly secured Redis situations. The menace actors behind the marketing campaign have since resorted to completely different approaches for preliminary entry, together with the abuse of the database’s replication function to ship the malware.
Cado Safety stated it has noticed a rise in preliminary entry occasions attributable to P2PInfect wherein the Redis SLAVEOF command is issued by an actor-controlled node to a goal to allow replication.
That is adopted by delivering a malicious Redis module to the goal, which, in flip, runs a command to retrieve and launch the principle payload, after which one other shell command is run to take away the Redis module from the disk in addition to disable the replication.
One of many new options of the newer variants is the addition of a persistence mechanism that leverages a cron job to launch the malware each half-hour.Moreover, there now exists a secondary methodology that retrieves a replica of the malware binary from a peer and executes ought to it’s deleted or the principle course of is terminated.
P2PInfect additional overwrites current SSH authorized_keys information with an attacker-controlled SSH key, successfully stopping current customers from logging in over SSH.
“The primary payload additionally iterates by means of all customers on the system and makes an attempt to alter their person passwords to a string prefixed by Pa_ and adopted by 7 alphanumeric characters (e.g. Pa_13HKlak),” Muir stated. This step, nonetheless, requires that the malware has root entry.
AI vs. AI: Harnessing AI Defenses Towards AI-Powered Dangers
Able to deal with new AI-driven cybersecurity challenges? Be part of our insightful webinar with Zscaler to handle the rising menace of generative AI in cybersecurity.
Regardless of the rising sophistication of the malware, P2PInfect’s actual targets are unclear. Cado Safety stated it noticed the malware trying to fetch a crypto miner payload, however there isn’t a proof of cryptomining up to now.
“It is clear that P2PInfect’s builders are dedicated to sustaining and iterating on the performance of their malicious payloads, whereas concurrently scaling the botnet throughout continents and cloud suppliers at a speedy fee,” Muir stated.
“It’s anticipated that these behind the botnet are both ready to implement further performance within the miner payload, or are desiring to promote entry to the botnet to different people or teams.”
