Threat actors are carrying out attacks on vulnerable instances of SSH and Redis, an open-source data store. These fraudulent actors are using a peer-to-peer self-replicating worm known as P2Pinfect, which has versions designed for both Windows and Linux operating systems.
Developed in the Rust programming language, the P2Pinfect malware utilizes at least two methods to gain initial access to target systems. The first method exploits a critical vulnerability that was disclosed and patched in 2022. The second method takes advantage of a feature within Redis that enables the replication of the main database for improved high availability and to counter failover scenarios.
P2Pinfect Malware Uses Different Infection Vectors
Initially, P2PInfect capitalized on a critical vulnerability identified as CVE-2022-0543, which had a maximum severity score of 10 out of 10. This security flaw specifically affected Debian systems and pertained to a LUA sandbox escape vulnerability resulting from a packaging issue. The exploitation of this vulnerability granted remote code execution capabilities, posing a significant threat to affected systems.
Once a vulnerable Redis instance is compromised using an initial payload, P2PInfect proceeds to download new scripts and malicious binaries tailored for the specific operating system. Furthermore, the infected server is enlisted in the malware's list of compromised systems. Subsequently, the malware integrates the infected server into its peer-to-peer network, facilitating the dissemination of malicious payloads to future compromised Redis servers.
Researchers investigating P2PInfect also uncovered a sample that demonstrated cross-platform compatibility, indicating that the malware was designed to target both Windows and Linux environments. This particular sample contained Portable Executable (PE) and ELF binaries, allowing it to operate on both operating systems seamlessly. Interestingly, this variant employed a different method of initial access, leveraging the Redis replication feature, which enables the generation of exact replicas of the main/leader Redis instance.
P2Pinfect Malware Spreads and Adds the Compromised Systems to a Botnet
The primary payload of the malware is an ELF binary, cleverly written in a combination of C and Rust programming languages. Upon execution, it triggers the Rust component of the payload to take over.
Once activated, the binary proceeds to make critical alterations to the SSH configuration on the targeted host. It modifies the OpenSSH server configuration to resemble a near default state, granting the attacker access to the server through the secure shell (SSH) protocol and enabling password authentication. Next, the threat actor restarts the SSH service and adds an SSH key to the list of authorized keys for the current user, ensuring unhindered access to the compromised system.
In the subsequent phase, the attacker deploys a bash script to manipulate the names of the wget and curl binaries. The script also verifies the presence of specific utilities and installs them if they are not already available. The use of a firewall utility, appears to be a measure employed by the malware to safeguard the vulnerable Redis server from other potential attackers. The malware establishes persistence on the compromised host, ensuring its continuous operation.
Subsequently, the infected server is equipped with at least one binary capable of scanning through the /proc directory and accessing the stat for each process therein. Additionally, the binary can actively monitor the /proc directory for any changes.
Furthermore, the binary possesses the capability to upgrade the primary malware binary and execute it if the current signature does not match the one retrieved from the botnet.
By treating each compromised Redis server as a node, P2PInfect transforms the network into a peer-to-peer botnet. This botnet operates without the need for a centralized Command-and-Control (C2) server, granting it the ability to receive instructions autonomously.