P2Pinfect, extensively analyzed by Cado Security, has undergone significant evolution since its emergence. Originally known for propagating through Redis and employing limited SSH exploits, this malware now includes advanced functionalities such as ransomware and cryptocurrency mining capabilities. These updates highlight its adaptability and the evolving objectives of threat actors in exploiting compromised systems.

Cado Security's ongoing research traces P2Pinfect's progression from exploiting Redis vulnerabilities and basic SSH techniques to utilizing complex methods like asynchronous programming with the tokio framework and binary packing using UPX. The introduction of ransomware marks a new phase, enabling direct extortion through data encryption, while cryptocurrency mining exploits infected resources for financial gain.

Background and Initial Discovery

P2Pinfect first came under scrutiny from cybersecurity researchers at Palo Alto Networks Unit 42 during the summer of 2023. This malware was identified for its targeted attacks on Redis servers vulnerable to CVE-2022-0543, a critical Lua sandbox escape vulnerability enabling arbitrary code execution. Unit 42's investigation revealed that P2Pinfect uses this vulnerability to gain initial access to systems, bypassing security measures and compromising the integrity of Redis instances, potentially exposing sensitive data. The widespread use of Redis across cloud environments amplifies the impact and reach of P2Pinfect's campaign.

Initial Access Exploitation

P2Pinfect exploits Redis's replication features in distributed clusters, where nodes can function as replicas of leader nodes. This setup, while enhancing load balancing and resilience, also exposes vulnerabilities. By using commands like SLAVEOF, P2Pinfect converts Redis nodes into attacker-controlled followers, enabling arbitrary code execution through malicious shared object files (.so).

Main Payload

P2Pinfect operates as a worm, actively scanning the internet for new servers vulnerable to Redis exploits. It also utilizes basic SSH password spraying techniques, albeit with reduced success rates due to oversaturation. Upon infecting a system, P2Pinfect installs an SSH key in the authorized key file, limits Redis access to existing IP connections, and attempts SSH service restarts to enable root login. The malware targets user passwords and leverages sudo for privilege escalation.

Additionally, P2Pinfect functions as a peer-to-peer botnet where each infected machine acts as a node maintaining multiple connections. This mesh network allows for efficient distribution of updated binaries through a gossip mechanism, ensuring rapid propagation of malware updates across the network.

Updated Main Payload

Recent updates to P2Pinfect include rewriting core functionalities using the tokio async framework in Rust and packing binaries with UPX. These changes enhance operational efficiency and complicate static analysis.

Miner Payload Activation

Initially dormant, the embedded cryptocurrency miner within P2Pinfect becomes active after a brief delay following the launch of the main payload. It targets Monero mining, preconfigured with wallet and pool details, showing minimal activity compared to the botnet's size.

Ransomware Payload Activation

Upon joining the botnet, P2Pinfect receives a command instructing it to download and execute a new binary called rsagen, which serves as the ransomware payload.

Execution and Encryption Process

Upon execution, rsagen checks for the existence of a ransom note in the current directory (/tmp) or user's home directory. If absent, it proceeds to initiate the encryption process. While the exact cryptographic method is undisclosed, it likely involves generating a public key to encrypt files, with the corresponding private key encrypted using the attacker's public key. This setup facilitates decryption upon payment without storing sensitive data on compromised systems.

The ransom note, titled "Your data has been locked!.txt", instructs victims on payment procedures. Utilizing Monero ensures transaction anonymity, complicating tracking of earnings.

File Encryption and Targeting

The ransomware iterates through the entire filesystem, encrypting files and appending ".encrypted" to filenames. While Linux systems do not inherently require file extensions, P2Pinfect selectively targets specific file types based on a lengthy list embedded within its code. Notably excluded are Redis-specific files (e.g., .rdb).

Privilege and Target Limitations

Operating within the privileges of its parent process, typically the Redis user, rsagen's impact is constrained to files accessible to Redis. This user typically lacks root or sudo privileges, limiting its ability to escalate privileges or encrypt critical system files beyond Redis configurations.

Usermode Rootkit Addition

P2Pinfect now includes a usermode rootkit aimed at enhancing stealth capabilities. It modifies accessible .bashrc files in user directories to preload a shared object, libs.so.1, into commands like ls or cat. This allows the rootkit to intercept and hide specific processes and files by hijacking system calls such as fopen, open, lstat, unlink, and readdir.

‍Functionality

• File and Process Concealment: It hides processes associated with /tmp/bash or the miner and filters ports in /proc/net/tcp and /proc/net/tcp6.
• Environmental Variable Bypass: An environmental variable can bypass these checks, allowing other malware binaries to execute commands without interference.

Dynamic Generation and Limitations

The rootkit is dynamically generated by P2Pinfect at runtime, incorporating a random environmental variable as a bypass string. However, its impact is limited to the user running the Redis server, typically lacking access to other users' directories.

Potential Botnet-for-Hire Theory

There is speculation that P2Pinfect could be operating as a botnet-for-hire, indicated by its method of delivering the rsagen ransomware payload from a fixed URL via command. This contrasts with other integrated payloads, suggesting flexibility in deploying arbitrary payloads on command. This could imply P2Pinfect accepts payments for distributing third-party payloads across its botnet nodes.

Supporting Evidence

• Separate Wallet Addresses: Different addresses for the miner and ransomware wallets suggest distinct entities managing these operations.
• Operational Interference: The miner's CPU usage often interferes with ransomware operations, which is unusual if ransomware were the sole motivation.
• Lack of Protection: The rsagen payload lacks defensive features like the usermode rootkit present in the main P2Pinfect binary.

Counterpoints

• Compiler Strings and Language: Both P2Pinfect and rsagen are compiled using GCC(4.8.5 20150623), indicating a single author for consistency, lessening the likelihood of third-party involvement.
• Language Choice: Both payloads are written in Rust, further suggesting unified development.

While P2Pinfect may facilitate initial access brokerage, current evidence suggests it is not a botnet-for-hire operation.

Conclusion

P2Pinfect continues to spread widely among servers, enhanced by its updated crypto miner, ransomware, and usermode rootkit. While its ransomware payload targeting Redis servers is unconventional, the miner remains more lucrative due to broader accessibility. The usermode rootkit, though theoretically advantageous, is limited in practical effectiveness, especially in Redis-restricted environments. Overall, P2Pinfect showcases evolving tactics aimed at maximizing profit and operational reach in compromised server networks.

‍