The gang behind a cloud botnet known for targeting servers running the Redis in-memory storage system dubbed P2Pinfect is now looking to expand into the IoT ecosystem, according to a new report. Researchers have recently come across a variant of the P2Pinfect worm designed to run on Linux devices with MIPS processors.
“It’s highly likely that by targeting MIPS, the P2Pinfect developers intend to infect routers and IoT devices with the malware,” researchers from Cado Security said in a new report. “Use of MIPS processors is common for embedded devices and the architecture has been previously targeted by botnet malware, including high-profile families like Mirai, and its variants/derivatives.”
P2Pinfect is an unusual worm
P2Pinfect drew attention when it was discovered earlier this year because it was written in Rust, a modern programming language that is cross-platform and is known for its memory and type safety and because it spread by compromising Redis deployments on both Linux and Windows systems.
P2Pinfect had two methods of exploiting Redis. One was through a critical vulnerability tracked as CVE-2022-0543 that specifically affected the Redis packages on Debian Linux. Redis allows users to upload and execute scripts written in the Lua programming language to extend the server’s functionality. These scripts are normally executed in a sandbox, but CVE-2022-0543 allowed attackers to write code that escaped from the sandbox and is executed in the context of the Redis process.
The second infection method involved abusing the Redis replication command that marks a Redis instance as a slave of a master server. This was used to copy a malicious module from an attacker-controlled server and then load it on the victim instances with the MODULE LOAD command.
P2Pinfect also attempts to brute-force access
The new variant of the worm written for the MIPS architecture also tries to brute force SSH access, which makes sense for embedded devices as they are more likely to have SSH enabled. In fact, researchers observed in the original versions that the worm was scanning random ranges of IP addresses for port 22, but they did not observe attempts to deliver the worm over SSH at the time.
However, the MIPS variant has a number of common username and password combinations hardcoded into its binary and uses them to conduct a brute-force attack on servers identified during scanning. Although the deployment of Redis on embedded devices is not popular, the package is available in OpenWRT, a popular open-source firmware for routers, so the worm’s Redis-specific attack vectors might also work on such devices.
The MIPS binary also has an embedded Windows DLL that can act as a malicious loadable module for Redis and implements a functionality called system.exec. This functionality allows attackers to execute shell commands on a compromised host.
“This is consistent with the previous examples of P2Pinfect, and demonstrates that the intention is to utilise MIPS devices for the Redis-specific initial access attack patterns,” the Cado researchers said.
The worm has some improved detection evasion capabilities
The MIPS variant also uses some new techniques that are meant to make its execution inside honeypot and other malware analysis virtual machines harder. First, when executed, the binary makes a system call to disable core dump functionality in Linux.
Core dumps are essentially dumps of the RAM contents and can help in post-compromise forensics investigations since they will contain the information processes had stored in the running memory. P2Pinfect uses a custom peer-to-peer communications protocol dubbed BotnetConf, so a core dumb could reveal information about IP addresses and connected peers.
“It’s also possible that the sample prevents core dumps from being created to protect the availability of the MIPS device itself,” the researchers said. “Low-powered embedded devices are unlikely to have lots of local storage available to them and core dumps could quickly fill what little storage they do have, affecting performance of the device itself.”
More obvious, the creators tried to prevent analysis but adding code that reads the pid status file of its own process. Pid stands for process ID and every process on a Linux system will have a unique ID and status file that will contain metadata about the process. This status file has a field called TracerPID which will indicate if the process is monitored by a dynamic analysis tool such as strace and ltrace. If the worm sees a value other than 0 for TracerPID it will immediately terminate its own execution to prevent analysis.
“P2Pinfect’s continued evolution and broadened targeting are clearly the work of a determined and sophisticated threat actor,” the Cado researchers said. “The cross-platform targeting and utilisation of a variety of evasion techniques demonstrate an above-average level of sophistication when it comes to malware development. Clearly, this is a botnet that will continue to grow until it’s properly utilised by its operators.”