The latest variants of the P2Pinfect botnet are now focusing on infecting devices with 32-bit MIPS processors, such as routers and IoT devices.
Due to their efficiency and compact design, MIPS chips are prevalent in embedded systems like routers, residential gateways, and video game consoles.
P2Pinfect was discovered in July 2023 by Palo Alto Networks analysts as a new Rust-based worm that targets Redis servers vulnerable to CVE-2022-0543.
Following its initial discovery, Cado Security analysts who examined P2Pinfect reported that it was abusing the Redis replication feature to spread, creating replicas of the infected instance.
Later, in September, Cado warned about spiking P2Pinfect botnet activity targeting systems in the United States, Germany, the UK, Japan, Singapore, Hong Kong, and China.
Today, Cado reports a new development concerning the botnet, which marks a significant evolution in the project's targeting scope and ability to evade detection.
The latest attacks observed on Cado's honeypots scan for SSH servers that use weak credentials and attempt to upload the MIPS binary via SFTP and SCP. Interestingly, propagation for the MIPS variant isn't restricted to SSH, as the researchers spotted attempts to run the Redis server on MIPS devices through an OpenWRT package named 'redis-server.
During static analysis, Cado researchers found that the new P2Pinfect is a 32-bit ELF binary with no debug information and an embedded 64-bit Windows DLL, which acts as a loadable module for Redis to enable shell command execution on the host.
The newest variant of P2Pinfect implements sophisticated and multifaceted evasion mechanisms that make its detection and analysis much more challenging.
The continuous development of P2Pinfect and expansion of the malware's targeting indicates a high level of coding skills and determination from its authors.
It's important to highlight that despite extensive tracking of the botnet through various campaigns over time, Cado Security remains uncertain about the precise objectives of the malware's operators.
These goals could encompass cryptocurrency mining, launching Distributed Denial of Service attacks, facilitating traffic proxying, and executing data theft.
MySQL servers targeted by 'Ddostf' DDoS-as-a-Service botnet.
IPStorm botnet with 23,000 proxies for malicious traffic dismantled.
Socks5Systemz proxy service infects 10,000 systems worldwide.
Mozi malware botnet goes dark after mysterious use of kill-switch.
Mirai DDoS malware variant expands targets with 13 router exploits.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 04 Dec 2023 22:05:16 +0000