The operator behind the growing P2PInfect botnet is turning their focus to Internet of Things (IoT) and routers running the MIPS chip architecture, expanding their list of targets and offering more evidence that the malware is an experienced threat actor.
P2PInfect, a self-replicating worm written in the Rust programming language, was first detected this summer targeting primarily unpatched Redis instances through the critical Lua sandbox escape vulnerability (CVE-2022-0543) and an unauthorized replication attack that loads a malicious Redis module.
The latest variant targets embedded devices that are based on the 32-bit MIPS processors and tries to brute-force SSH access into the systems, according to Matt Muir, threat intelligence researcher with Cado Security Labs. MIPS processors are commonly used in embedded devices and have been targeted in the past by botnet malware developers, such as Mirai and its myriad variants, Muir wrote in a blog post.
“Not only is this an interesting development in that it demonstrates a widening of scope for the developers behind P2Pinfect (more supported processor architectures equals more nodes in the botnet itself), but the MIPS32 sample includes some notable defence evasion techniques,” he wrote. “This, combined with the malware’s utilisation of Rust (aiding cross-platform development) and rapid growth of the botnet itself, reinforces previous suggestions that this campaign is being conducted by a sophisticated threat actor.”
Starting Off with Redis Servers
The increasingly popular Rust language is widely used by developers and is cloud-friendly as well as more capable of spreading across multiple operating systems. In their initial report about P2PInfect, researchers with Palo Alto Networks’ Unit42 cyber unit noted that the botnet was targeting of Redis instances, which can run on both Windows and Linux.
P2PInfect’s expansion of targets into IoT and similar devices dovetails with a larger trend. A report by Check Point threat researchers found that in the first two months of this year, there was a 41% year-over-year increase in the average number of weekly attacks per organization on IoT devices, and that on average, 54% of organizations see an attempted attack on IoT devices.
“Cybercriminals are aware that IoT devices are notoriously one of the most vulnerable parts in the networks, with most not properly secured or managed,” the Check Point researchers wrote. “With IoT devices like cameras and printers, its vulnerabilities and other such unmanaged devices can allow direct access and significant privacy violation, allowing attackers an initial foothold into corporate networks, before propagating inside the breached network.”
The botnet is a peer-to-peer (P2P) self-replicating worm designed to spread widely, as seen in its use of Rust, according to Unit42 researchers. Muir wrote in an earlier report in September that there was a jump in P2PInfect incidents in August and 600-fold increase in P2PInfect traffic the following month. That coincided with reports of more variants streaming onto the scene.
These variants indicated that the designers behind P2PInfect were accelerating their development of the malware. Most of the compromises then were seen in the United States, Germany, the UK, and countries in Asia, including China, Hong Kong, Japan, and Singapore.
Found in the Honeypot
Muir wrote that Cado researchers detected the MIPS variant of P2PInfect after sorting through files uploaded to a SSH honeypot. SSH is a network protocol that allows users to securely access a computer over an unsecured network.
P2PInfect variants had been seen scanning for SSH servers and spread the malware through SSH, Cado researchers hadn’t yet seen a P2PInfectx sample successfully use the method. Now they have. The botnet malware includes common pairs of usernames and passwords that are embedded in the MIPS binary and will “iterate through these pairs, initiating a SSH connection with servers identified during the scanning phase to conduct a brute force attack,” he wrote. “It was assumed that SSH would be the primary method of propagation for the MIPS variant, due to routers and other embedded devices being more likely to utilise SSH. However, additional research shows that it is in fact possible to run the Redis server on MIPS. This is achievable via an OpenWRT package named redis-server.”
That said, Muir wrote that it’s not clear whether running Redis on an embedded MIPS device is commonly seen in the wild or how such a combination is used. However, “if such a device is compromised by P2Pinfect and has the redis-server package installed, it’s perfectly feasible for that node to then be used to compromise new peers via one of the reported P2Pinfect attack patterns, involving exploitation of Redis or SSH bruteforcing,” he wrote.
Included in the MIPS variant were new evasion techniques, including enabling the malware to detect if it’s being analyzed and, if so, terminating itself. In addition, the botnet may try to disable Linux core dumps, which is a file created automatically by the Linux kernel after a program crashes. The file includes the memory, register values, and call stack of an application at the point the system crashed.
“This is likely used as an anti-forensics procedure as the memory regions written to disk as part of the core dump can often contain internal information about the malware itself,” Muir wrote. “In the case of P2Pinfect, this would likely include information such as IP addresses of connected peers.”
Preventing the core dump could also ensure that the MIPS devices remains available, he wrote. Such low-powered embedded devices won’t have a lot of local storage available and core dumps could quickly eat up with little storage they have, which could hurt the performance of the device itself.
The latest variant indicates that P2PInfect’s “determined and sophisticated” operator is likely to continue growing the botnet’s capabilities until the operators can use it as they want., Muir wrote, adding that the “cross-platform targeting and utilisation of a variety of evasion techniques demonstrate an above-average level of sophistication when it comes to malware development.”