An updated variant of the cloud-adept and Rust-based malware dubbed P2PInfect is now spreading ransomware and cryptominer payloads. The malware for the past year has been mostly benign and only tracked by researchers slowly worming across cloud instances and searching for unpatched instances of the 2022 sandbox escape vulnerability CVE-2022-0543.
In a June 25 blog post, Cado Security researchers wrote that P2PInfect would spread primarily via Redis and a limited SSH spreader. Now, the malware has been updated with a cryptominer, ransomware payload and rootkit functionality.
The evolution of P2Pinfect represents a typical example of how sophisticated malware develops, often focusing on spreading and establishing a solid foothold within networks during the initial phase, using techniques like exploiting software vulnerabilities or employing password spraying, explained Patrick Tiquet, vice president, security and architecture at Keeper Security.
In a July 2023 research post, Palo Alto Networks' Unit 42 first described the malware as a a new peer-to-peer (P2P) worm and called it P2PInfect. "[T]his worm is capable of cross-platform infections and targets Redis, a popular open-source database application that is heavily used within cloud environments... The P2PInfect worm infects vulnerable Redis instances by exploiting the Lua sandbox escape vulnerability, CVE-2022-0543. While the vulnerability was disclosed in 2022, its scope is not fully known at this point..," researchers wrote at the time.
Keeper Security's Tiquet said the goal at this current stage is to create a network of infected devices, forming a botnet that the authors can later use for various malicious purposes. This slow build lets the malware successfully avoid detection by standard, signature-based antivirus products, as the use of advanced evasion techniques enhances its persistence and longevity within systems.
“Once a significant number of devices are compromised, the malware can then be updated with more destructive features, such as ransomware or crypto miners,” said Tiquet. “By staying undetected for longer periods, malicious actors can carry out prolonged campaigns, maximizing their impact and financial gains. This progression makes the malware more dangerous over time, becoming more difficult to combat once it has deeply entrenched itself within a network.”
Ken Dunham, cyber threat director at the Qualys Threat Research Unit, added that P2Pinfect is fairly typical in terms of opportunistically attacking SSH accounts that are weakly defended. He said it has some unique resiliency components built into the infrastructure of how it operates, as documented by Cado Security.
“This research proves that ‘stealth for survival’ matters to adversaries who have put a lot of work into their code and attacks, desiring to maintain their foothold once inside a network,” said Dunham.
Dunham said it's essential that cyber threat intelligence teams monitor and manage evolving tactics, techniques and procedures of bad actors for attribution, as well as changes in the threat landscape and indicators as to where companies should focus to best reduce risk.
“As adversaries focus upon resilience and stealth for survival, it's critical organizations are able to gain visibility of threats and able to predict the unknown, with regular audits and assurances coupled with purple teaming operations,” said Dunham.
