The operator behind the growing P2PInfect botnet is turning their focus to Internet of Things and routers running the MIPS chip architecture, expanding their list of targets and offering more evidence that the malware is an experienced threat actor.
P2PInfect, a self-replicating worm written in the Rust programming language, was first detected this summer targeting primarily unpatched Redis instances through the critical Lua sandbox escape vulnerability and an unauthorized replication attack that loads a malicious Redis module.
The latest variant targets embedded devices that are based on the 32-bit MIPS processors and tries to brute-force SSH access into the systems, according to Matt Muir, threat intelligence researcher with Cado Security Labs.
MIPS processors are commonly used in embedded devices and have been targeted in the past by botnet malware developers, such as Mirai and its myriad variants, Muir wrote in a blog post.
In their initial report about P2PInfect, researchers with Palo Alto Networks' Unit42 cyber unit noted that the botnet was targeting of Redis instances, which can run on both Windows and Linux.
P2PInfect's expansion of targets into IoT and similar devices dovetails with a larger trend.
A report by Check Point threat researchers found that in the first two months of this year, there was a 41% year-over-year increase in the average number of weekly attacks per organization on IoT devices, and that on average, 54% of organizations see an attempted attack on IoT devices.
The botnet is a peer-to-peer self-replicating worm designed to spread widely, as seen in its use of Rust, according to Unit42 researchers.
Muir wrote in an earlier report in September that there was a jump in P2PInfect incidents in August and 600-fold increase in P2PInfect traffic the following month.
These variants indicated that the designers behind P2PInfect were accelerating their development of the malware.
Most of the compromises then were seen in the United States, Germany, the UK, and countries in Asia, including China, Hong Kong, Japan, and Singapore.
Muir wrote that Cado researchers detected the MIPS variant of P2PInfect after sorting through files uploaded to a SSH honeypot.
SSH is a network protocol that allows users to securely access a computer over an unsecured network.
P2PInfect variants had been seen scanning for SSH servers and spread the malware through SSH, Cado researchers hadn't yet seen a P2PInfectx sample successfully use the method.
That said, Muir wrote that it's not clear whether running Redis on an embedded MIPS device is commonly seen in the wild or how such a combination is used.
Included in the MIPS variant were new evasion techniques, including enabling the malware to detect if it's being analyzed and, if so, terminating itself.
The botnet may try to disable Linux core dumps, which is a file created automatically by the Linux kernel after a program crashes.
The file includes the memory, register values, and call stack of an application at the point the system crashed.
Preventing the core dump could also ensure that the MIPS devices remains available, he wrote.
Such low-powered embedded devices won't have a lot of local storage available and core dumps could quickly eat up with little storage they have, which could hurt the performance of the device itself.
This Cyber News was published on securityboulevard.com. Publication date: Mon, 04 Dec 2023 16:43:39 +0000