Recent developments have revealed that the Linux botnet P2PInfect has evolved significantly, increasing its threat level by incorporating a rootkit, cryptominer [1] [2] [3] [4] [5] [6], and ransomware payloads [3] [5] [6].
Description
This Rust-based malware spreads through Redis-integrated servers and SSH, targeting vulnerable Redis instances by exploiting the Lua sandbox escape vulnerability CVE-2022-0543 [2]. P2PInfect has been observed mining Monero coins and encrypting various file types for ransom [5], with a concentration of infections in East Asia. It has been documented as a “rental botnet” targeting Redis servers since July 2023, with a new variant discovered in December 2023 that focused on MIPS processors in routers and IoT devices. On May 16, 2024 [6], infected devices received a command to download and execute a ransomware payload named rsagen [6], which encrypts specific file extensions related to databases [6], documents [3] [6], and media files [6]. Additionally, the latest iterations activate a Monero cryptominer that utilizes all available processing power. The ransomware module encrypts accessible files based on compromised Redis user privileges, while the Monero miner has generated approximately 71 XMR (around $10,000) to date.
Conclusion
Organizations worldwide utilizing Redis should ensure robust server protection to thwart infection, as P2PInfect may receive updates with more destructive features over time, heightening the challenge of mitigation. Cyber threat intelligence teams should monitor the evolving tactics of threat actors for attribution and risk mitigation [2].
References
[1] https://www.matricedigitale.it/sicurezza-informatica/p2pinfect-da-dormiente-a-pericoloso-nuovi-payload-di-ransomware-e-cryptominer/
[2] https://www.scmagazine.com/news/p2pinfect-evolves-to-introduce-ransomware-and-cryptominer-payloads
[3] https://www.hfrance.fr/le-botnet-p2pinfect-cible-les-serveurs-de-redis-avec-un-nouveau-module-de-ransomware.html
[4] https://911cyber.app/june-25-2024-cyber-briefing/
[5] https://www.darkreading.com/threat-intelligence/p2pinfect-worm-miner-ransomware-rootkit
[6] https://sempreupdate.com.br/botnet-p2pinfect-mira-em-servidores-redis-com-novo-modulo-de-ransomware/