The peer-to-peer botnet known as P2PInfect has started targeting misconfigured Redis servers with ransomware and cryptocurrency miners.
This evolution shows the botnet’s shift from a dormant state with unclear motives to a financially driven operation.
“With the latest updates to its crypto miner, ransomware payload, and rootkit elements, the malware author continues to profit from their illicit access and spread the network further, worming across the internet,” researcher reported this week.
P2PInfect first surfaced about a year ago and has since been updated to target MIPS and ARM architectures. The researcher reported in January that the malware was being used to deliver miner payloads.
The botnet typically spreads by exploiting Redis servers and their replication feature, transforming victim systems into follower nodes of an attacker-controlled server, which then allows the attacker to issue arbitrary commands.
The Rust-based worm can also scan the internet for more vulnerable servers and includes an SSH password sprayer module to attempt logins using common passwords.
P2PInfect takes measures to prevent other attackers from targeting the same server, such as changing user passwords, restarting the SSH service with root permissions, and performing privilege escalation.
The latest behavioral changes to P2PInfect include dropping miner and ransomware payloads. The ransomware encrypts files with specific extensions and delivers a ransom note demanding 1 XMR (~$165).
A new usermode rootkit, using the LD_PRELOAD environment variable, hides malicious processes and files from security tools. This technique is also used by other cryptojacking groups like TeamTNT.
It’s suspected that P2PInfect is advertised as a botnet-for-hire service, deploying other attackers’ payloads for payment. This theory is supported by the different wallet addresses for the miner and ransomware, and the miner process consuming as much processing power as possible, interfering with the ransomware’s operation.
The choice of a ransomware payload for malware targeting a server that stores ephemeral in-memory data is odd. P2PInfect will likely profit more from its miner than its ransomware due to the limited amount of low-value files it can access.
This disclosure follows revelations about vulnerable web servers being targeted by suspected Chinese-speaking threat actors to deploy crypto miners. These actors use web shells and NetCat for remote control and install proxy tools aimed at RDP access, making data exfiltration possible.
Botnets like UNSTABLE, Condi, and Skibidi are abusing legitimate cloud storage and computing services to distribute malware payloads and updates to a wide range of devices.
To protect against the P2PInfect botnet, ensure servers are properly configured with strong authentication mechanisms and are not exposed to the internet. Regularly update software and firmware to patch known vulnerabilities. Use intrusion detection systems to monitor for unusual network traffic and implement IP whitelisting to restrict access to critical systems.