Highlights:

  • The “P2Pinfect” malware is built in Rust programming language and acts as a botnet agent.
  • The malware leverages multiple evasion strategies to avoid dynamic analysis and actively hunts for Redis and SSH servers.

Researchers at Cado Security Ltd., a cloud forensics and incident response platform startup, described a recently found malware campaign focused against Redis data store deployments.

Redis, an in-memory open-source data structure store, can be used as a cache, database, or message broker. It is compatible with multiple data structures comprising hashes, strings, sets, and lists.

The “P2Pinfect” malware is built in the Rust programming language and acts as a botnet agent. The researchers found an embedded Portable Executable and an additional Extendable and Linkable Format executable in an examined sample, demonstrating cross-platform compatibility between Linux and Windows.

On July 19, Palo Alto Networks Inc.’s Unit 42 revealed the Windows version of P2Pinfect, stating that the malware was distributed by exploiting a specific Redis vulnerability, listed as CVE-2022-0543. However, Cado researchers have uncovered an alternative initial access method, demonstrating the malware’s flexibility.

P2Pinfect’s capabilities range from attempting several Redis exploits to employing Rust for payload generation, further complicating the analysis process. The malware leverages multiple evasion strategies to avoid dynamic analysis and actively hunts for Redis and SSH servers. Furthermore, the malware may replicate itself worm-like, demonstrating its tenacity.

By leveraging the replication capability, the malware exploits unprotected Redis instances, allowing them to run in a distributed leader/follower topology, offering high availability and failover for the data store. Malicious replication is accomplished by connecting to a publicly accessible Redis instance and issuing specified commands. P2Pinfect’s vector has previously been utilized in malware campaigns such as H2miner and Headcrab.

P2Pinfect employs several well-known Redis exploitation methods, but it was the replication method that was successful in breaching Cado’s “honeypot” infrastructure. The attacker can load a malicious module through a series of commands, increasing Redis’ capability and enabling reverse shell access.

The fundamental payload is an ELF coded by combining Rust and C programming languages. The payload is believed to modify the host’s SSH setup to simplify the author’s access to the server, such as removing specified binaries and updating specific files.

The malware uses a peer-to-peer botnet to aid in its spread, with each infected server acting as a node. The decentralized structure ensures reliable communication without a centralized command-and-control server. The binary listens on a random port and sends payloads using a basic HTTP server, utilizing HTTPS for genuine botnet coordination.

The researchers reported, “P2Pinfect is well-designed and utilizes sophisticated techniques for replication and C2. The choice of using Rust also allows for easier portability of code across platforms (with the Windows and Linux binaries sharing a lot of the same code) while also making static analysis of the code significantly harder.”