Rust-Based P2PInfect Botnet Evolves with Miner and Ransomware Payloads

/in


P2PInfect Botnet

The peer-to-peer malware botnet known as P2PInfect has been found targeting misconfigured Redis servers with ransomware and cryptocurrency miners.

The development marks the threat’s transition from what appeared to be a dormant botnet with unclear motives to a financially motivated operation.

“With its latest updates to the crypto miner, ransomware payload, and rootkit elements, it demonstrates the malware author’s continued efforts into profiting off their illicit access and spreading the network further, as it continues to worm across the internet,” Cado Security said in a report published this week.

P2PInfect came to light nearly a year ago, and has since received updates to target MIPS and ARM architectures. Earlier this January, Nozomi Networks uncovered the use of the malware to deliver miner payloads.

It typically spreads by targeting Redis servers and its replication feature to transform the victim systems into a follower node of the attacker-controlled server, subsequently allowing it to issue arbitrary commands to them.

The Rust-based worm also features the ability to scan the internet for more vulnerable servers, not to mention incorporating an SSH password sprayer module that attempts to log in using common passwords.

Cybersecurity

Besides taking steps to prevent other attackers from targeting the same server, P2PInfect is known to change the passwords of other users, restart the SSH service with root permissions, and even perform privilege escalation.

“As the name suggests, it is a peer-to-peer botnet, where every infected machine acts as a node in the network, and maintains a connection to several other nodes,” security researcher Nate Bill said.

“This results in the botnet forming a huge mesh network, which the malware author makes use of to push out updated binaries across the network, via a gossip mechanism. The author simply needs to notify one peer, and it will inform all its peers and so on until the new binary is fully propagated across the network.”

Among the new behavioral changes to P2PInfect include the use of the malware to drop miner and ransomware payloads, the latter of which is designed to encrypt files matching certain file extensions and deliver a ransom note…

Source…