Botnet Malware with Worm-Like Traits Takes Aim at Popular Redis Storage Tool

An unidentified hacker group has launched an attack using a unique and noteworthy strain of malware targeting publicly accessible Redis deployments. Redis is the popular choice of major companies like Amazon, Hulu and Tinder for data storage. The malware's most striking feature is its worm-like behavior, allowing it to self-propagate or replicate across systems without human intervention after gaining access to a network, as highlighted by researchers.

Security researchers have recently encountered a concerning strain of malware dubbed "P2Pinfect." Its remarkable capability to autonomously spread and infect other vulnerable Redis deployments caught their attention. This self-propagation behavior raises significant concerns as it can enable the malware to expand its reach and impact rapidly. Despite their extensive investigation, the researchers have yet to identify the specific targets of this botnet-like malware, leaving the purpose behind its deployment shrouded in mystery. The potential ramifications of such an advanced and autonomous threat have raised red flags in the cybersecurity community, warranting further analysis and vigilance to protect against possible attacks.

Palo Alto's Unit 42 analyzed the hacking campaign, and their report, released on July 19, revealed the malware's utilization of CVE-2022-0543 to commandeer Redis applications and assimilate them into a botnet. This botnet comprises a collection of infected computers under the hacker's control. While the same vulnerability was subject to previous exploitation to assimilate devices into the Muhstik botnet in 2022, the latest malware, P2PInfect, appears to be associated with a distinct malevolent network and is not linked to Muhstik, according to Unit 42's findings.
The report aligns with much of Unit 42's findings, revealing that the malware is coded in the Rust programming language and attempts to infect other hosts once connected to the botnet.

However, it was discovered two notable distinctions. Firstly, the malware sample analyzed by their researchers did not exploit CVE-2022-0543 as the initial access point. Secondly, P2Pinfect targeted both Windows and Linux Redis instances. They noted that using the Rust programming language allowed the malware to function on both Windows and Linux platforms while making it challenging for analysts to analyze the code. The purpose and the identity of those behind the malware remain unclear. Although compromised systems pull a " miner file," it does not seem to perform crypto-mining tasks. This "miner" could potentially serve as a placeholder for future crypto-mining distribution by the threat actor. Similarly, Unit 42 observed instances of the word "miner" in P2PInfect's threatening toolkit but did not find conclusive evidence of crypto-mining operations.

The malware has a two-fold purpose. Firstly, it allows hackers to safeguard the Redis server from other threat actors attempting to compromise it while ensuring the server continues to operate legitimately, thus avoiding detection by its owners. Upon infection, the compromised server becomes a constituent of a peer-to-peer botnet. This configuration enables seamless communication between all botnet nodes without needing a centralized Ccommand-and-Control (C2) server. Researchers suggest that commands roll out by transmitting signed messages across the network. The malware targets additional hosts to propagate the infection by gathering a list of users, IP addresses, and access keys for the SSH network communication protocol. Once a new host has gained access, the malware replicates itself like it initially infected the compromised server. That involves fetching a copy of itself from the built-in HTTP server and executing it with a node list as an argument, thereby expanding its reach to other vulnerable systems.

Botnet Malware with Worm-Like Traits Takes Aim at Popular Redis Storage Tool Screenshots