logo

P2PInfect botnet targets REdis servers with new ransomware module

Botnet

P2PInfect, originally a dormant peer-to-peer malware botnet with unclear motives, has finally come alive to deploy a ransomware module and a cryptominer in attacks on Redis servers.

According to Cado Security, which has been tracking P2PInfect for some time now, there is evidence the malware operates as a "botnet for hire," although conflicting information prevents the researchers from drawing safe conclusions at this time.

P2PInfect background

P2PInfect was first documented in July 2023 by Unit 42 researchers, targeting Redis servers using known vulnerabilities.

Cado Security's subsequent examination of the malware revealed that it leveraged a Redis replication feature to spread.

Between August and September 2023, P2PInfect increased its activity to thousands of breach attempts weekly while also introducing new features like cron-based persistence mechanisms, fallback communication systems, and SSH lockout.

Despite that elevated activity, P2PInfect did not perform any malicious actions on compromised systems, so its operational goals remained blurry.

In December 2023, a new P2PInfect variant was discovered by Cado analysts, designed to target 32-bit MIPS (Microprocessor without Interlocked Pipelined Stages) processors found in routers and IoT devices.

New modules, unclear goals

Cado reports that starting on May 16, 2024, devices infected with P2PInfect received a command to download and run a ransomware payload (rsagen) from a specified URL, with the command being valid until December 17, 2024.

Fetching the ransomware module
Fetching the ransomware module
Source: Cado Security

Upon launch, the ransomware binary checks for the existence of a ransom note ("Your data has been locked!.txt") to avoid re-encrypting compromised systems.

The ransomware targets files with specific extensions related to databases (SQL, SQLITE3, DB), documents (DOC, XLS), and media files (MP3, WAV, MKV) and appends the '.encrypted' extension to the resulting files.

The ransomware iterates through all directories, encrypting files and storing a database of encrypted files in a temporary file with the '.lockedfiles' extension.

The damage from the ransomware module is contained by its privilege level, which is limited to that of the compromised Redis user and the files accessible to them. Also, because Redis is often deployed in memory, not much beyond configuration files are eligible for encryption.

Ransom note
P2PInfect ransom note
Source: Cado Security

The XMR (Monero) miner seen dormant in previous iterations has now been activated, dropped to a temporary directory, and launched five minutes after the primary payload has started.

The pre-configured wallet and mining pool in the examined samples has so far made 71 XMR, which is about $10,000, but Cado says there's a good chance the operators use additional wallet addresses.

A peculiar characteristic of the new P2PInfect is that the miner is configured to use all the available processing power, often hampering the operation of the ransomware module.

Of note is also a new user-mode rootkit that enables P2PInfect bots to hide their malicious processes and files from security tools, hijacking multiple processes to achieve this concealment.

Though the rootkit is theoretically capable of hiding file operations, data access events, and network connections, its effectiveness is again limited by the Redis (typical) in-memory deployment.

Cado's research on whether P2PInfect is rented to multiple cybercriminals or operated by a core team has been inconclusive, and evidence supports both scenarios.

The main takeaway is that P2PInfect is no longer an experiment but a real threat to Redis servers, capable of destroying data and hijacking computational resources for profit.


Free security scan for your website