VTA-004486 – Rust-Powered P2PInfect Botnet Advances with Cryptocurrency miners and Ransomware

The P2PInfect malware botnet has been discovered targeting improperly configured Redis servers with ransomware and cryptocurrency miners. This shift indicates that the botnet has evolved from a seemingly inactive network with ambiguous intentions to a financially driven operation. The latest updates to the crypto miner, ransomware payload, and rootkit components illustrate the malware author’s ongoing attempts to profit from their illegal access and expand the botnet. The malware continues to spread across the internet like a worm. The P2PInfect botnet spreads by exploiting Redis servers, utilizing their replication feature to convert victim systems into nodes controlled by the attacker, enabling arbitrary command execution. Additionally, the Rust-based worm can scan the internet for other vulnerable servers and includes an SSH password sprayer module to attempt logins using common passwords. Beyond preventing other attackers from exploiting the same server, P2PInfect also changes user passwords, restarts the SSH service with root permissions, and can escalate privileges. As a peer-to-peer botnet, each infected machine functions as a network node, maintaining connections with several other nodes. As a result, the botnet grows into a massive mesh network, which the malware creator uses to distribute new binaries via a gossip mechanism throughout the network. All the author has to do is alert one peer, and that peer will alert all of its peers, and so on, until the new binary spreads completely throughout the network. The use of the malware to drop ransomware and miner payloads—the latter of which is intended to encrypt files that match specific file extensions and issue a ransom note encouraging the victims to pay 1 XMR (~$165)—is one of the new behavioural alterations to P2PInfect. Given that this is an opportunistic and untargeted attack, a low price is reasonable given the likelihood that the victims have low value. Notable is also a novel usermode rootkit that conceals its malicious processes and data from security tools by using the LD_PRELOAD environment setting. P2PInfect is thought to be marketed as a botnet-for-hire service, facilitating the deployment of payloads from other attackers in return for payment. The separate wallet addresses for the miner and ransomware, along with the miner’s high processing power consumption hindering the ransomware, strengthens the idea that they operate independently. Targeting servers with in-memory data for ransomware seems strange. P2Pinfect would likely make more money using its built-in cryptocurrency miner because the server’s limited access permissions restrict the number of valuable files it can encrypt. While adding a usermode rootkit sounds useful in theory, it wouldn’t work in this case.  Even if the malware initially infects a Redis server (a specific data storage program), the rootkit can only modify settings for that specific service account. This wouldn’t be helpful since other users probably wouldn’t log in with that account anyway.

Severity:
Medium

Attack Surface:
Infrastructure, Server OS, Others

Tactics:

Techniques:

T1485 – Data Destruction

T1176 – Browser Extensions

T1134 – Access Token Manipulation

T1059 – Command and Scripting Interpreter

T1140 – Deobfuscate/Decode Files or Information

T1021 – Remote Services

T1027 – Obfuscated Files or Information

T1106 – Native API

T1090 – Proxy

T1014 – Rootkit

Indicator of Compromise:
https://otx.alienvault.com/pulse/667e21f2b273b0812d9184dc

References:
1. https://www.cadosecurity.com/blog/from-dormant-to-dangerous-p2pinfect-evolves-to-deploy-new-ransomware-and-cryptominer

SuperPRO’s Threat Countermeasures Procedures: 
1. Keep Redis products up to date with the latest security patches
2. Use network firewalls network segmentation and access control lists (ACLs) to restrict traffic flow and limit potential entry points for the malware.
3. Back up data regularly to prevent loss of data in emergency situation
4. Strong passwords and multifactor authentication should be enabled.
5. Use a trustable security solution to detect any suspicious activity.
6. Deploy endpoint protection software to detect unusual activity and block malicious activity, regularly conduct endpoint security scans and isolate compromised devices.

Contributed by: Varrumen