P2Pinfect [1] [2] [3] [4] [5] [6], a botnet malware written in Rust [5], has recently evolved to target a wider range of devices, including routers and IoT devices [2] [5] [6]. This shift in tactics indicates a deliberate effort to compromise devices utilizing Microprocessor without Interlocked Pipelined Stages (MIPS) architecture, which are particularly vulnerable to the P2Pinfect threat [1].
Description
The latest variant of P2Pinfect specifically targets embedded devices with 32-bit MIPS processors and employs brute-force SSH access attempts [3]. Researchers at Cado Security Labs discovered this variant while analyzing files uploaded to an SSH honeypot [1]. The malware utilizes common pairs of usernames and passwords for its brute force attacks [3]. Additionally, it employs defense evasion techniques [3], including a new one called TracerPid [1], to detect dynamic analysis tools and disable Linux core dumps [1].
The P2PInfect botnet [2] [3] [5] [6], developed in Rust [6], was first reported in July 2023 and exploits a Lua sandbox escape vulnerability to gain initial access [6]. The malware also includes a 64-bit Windows DLL module for Redis that allows the execution of shell commands on compromised systems [6]. The targeting of embedded IoT devices based on 32-bit MIPS processors suggests a strategic evolution by the malware developers, who are exploiting the widespread use of MIPS processors in these devices [5]. The use of advanced evasion techniques and the use of Rust for cross-platform development indicate that the actors behind P2Pinfect are highly skilled and intent on creating a robust and hard-to-detect botnet [5].
The shift in focus from Redis servers to IoT devices indicates a deliberate effort by the malware developers to compromise a broader range of devices. The updated evasion mechanisms in the new P2Pinfect variant suggest a more calculated approach aimed at establishing sustained control over infected devices and creating a resilient botnet [5]. If the P2Pinfect malware can land in common IoT devices [5], it can create its own mesh among the devices [5], making it difficult to remove and giving multiple options for persistence and command and control [5]. These capabilities may also make the malware more attractive to threat actors targeting different industry segments [5].
Conclusion
The evolution of P2Pinfect to target a wider range of devices, particularly those utilizing MIPS architecture, poses a significant threat. The use of brute-force SSH access attempts and defense evasion techniques demonstrates the sophistication of the malware developers. The shift in focus from Redis servers to IoT devices indicates a strategic effort to establish a resilient botnet. Mitigating this threat requires enhanced security measures for embedded devices and the adoption of strong authentication practices. The future implications of P2Pinfect’s capabilities and attractiveness to threat actors highlight the need for ongoing vigilance and proactive defense strategies.
References
[1] https://www.infosecurity-magazine.com/news/rust-botnet-p2pinfect-targets-mips/
[2] https://cyber.vumetric.com/security-news/2023/12/04/new-p2pinfect-botnet-mips-variant-targeting-routers-and-iot-devices/
[3] https://securityboulevard.com/2023/12/p2pinfect-botnet-is-now-targeting-mips-based-iot-devices/
[4] https://www.baselinemag.com/news/p2pinfect-malware-targets-iot-devices/
[5] https://www.scmagazine.com/news/new-p2pinfect-strain-aims-to-broaden-its-reach-from-redis-servers-to-iot-devices
[6] https://vulnera.com/newswire/emerging-p2pinfect-botnet-mips-variant-targets-routers-and-iot-devices/
