Analysis Summary

Once a dormant peer-to-peer malware botnet with unknown intentions, P2PInfect has finally come to life to target Redis servers with a cryptominer and a ransomware module.

Researchers who have been monitoring P2PInfect for a while claim to have proof that the malware functions as a botnet for hire, albeit contradicting data keeps the researchers from making firm judgments just yet. Researchers initially reported P2PInfect in July 2023. It used known vulnerabilities to attack Redis servers. After the malware was examined, it was discovered that it used a Redis replication function to propagate.

In August and September of 2023, P2PInfect added new capabilities like SSH lockout, fallback communication systems, and cron-based persistence methods, and expanded its activity to hundreds of breach attempts every week. P2PInfect's operational objectives remained unclear because, despite this increased activity, it did not carry out any hostile acts on affected systems.

A new version of P2PInfect, intended to attack 32-bit MIPS (Microprocessor without Interlocked Pipelined Stages) processors found in routers and Internet of Things (IoT) devices, was identified by experts in December 2023. Devices infected with P2PInfect began receiving instructions on May 16, 2024, to download and execute a ransomware payload (rsagen) from a given URL. These instructions were only valid until December 17, 2024.

To prevent re-encrypting compromised systems, the ransomware program verifies upon launch if a ransom letter ("Your data has been locked!.txt") is present on the target system. Targeting files with particular extensions linked to media files (MP3, WAV, MKV), documents (DOC, XLS), and databases (SQL, SQLITE3, DB), the ransomware appends the '.encrypted' extension to the generated files. The ransomware encrypts files as it moves through every directory, saving a database of encrypted files in a temporary file ending in ".lockedfiles."

The ransomware module's privilege level restricts the damage it can cause to the files that are accessible to the compromised Redis user. Additionally, hardly much beyond configuration files is eligible for encryption because Redis is frequently deployed in memory. Five minutes after the main payload has started, the XMR (Monero) miner, which was previously dormant, has now been awakened, dropped to a temporary directory, and launched.

So far, the pre-configured wallet and mining pool in the tested samples have generated 71 XMR, or roughly $10,000. However, there is a strong possibility that the operators utilize different wallet addresses. One unusual feature of the new P2PInfect is that the miner is set up to utilize all of the available processing power, which frequently interferes with the ransomware module's ability to function.

A novel user-mode rootkit that allows P2PInfect bots to mask their malicious files and processes from security programs by taking control of several processes is also noteworthy. Again, the Redis in-memory deployment limits the rootkit's efficacy, even though it has the potential to conceal file actions, data access events, and network connections.

There is evidence to support both hypotheses, but the investigation on whether P2PInfect is run by a core team or farmed out to various threat actors has proven inconclusive. The primary conclusion is that P2PInfect, which can destroy data and take over computing resources for financial gain, is no longer merely an experiment but rather a genuine threat to Redis servers.

Impact

• Cryptocurrency Theft
• Financial Loss
• File Encryption
• Sensitive Data Theft

Indicators of Compromise

IP

• 129.144.180.26
• 88.198.117.174

MD5

• 5997572f16876f4e8359a6f06d2f2a56
• 6559d129a3332936541fb82cdad4c35e

SHA-256

• 4f949750575d7970c20e009da115171d28f1c96b8b6a6e2623580fa8be1753d9
• 8a29238ef597df9c34411e3524109546894b3cca67c2690f63c4fb53a433f4e3

SHA1

• 6239679ca666fd82cfcf68e23bd41b3e6ee62385
• 4df6c580ff03c5d1d9b788e3ce195cd2cfbacf75

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Regularly change passwords for all accounts and use strong, unique passwords for sensitive accounts.
• Implement multi-factor authentication (MFA) on all accounts to add an extra layer of security to login processes.
• Consider the use of phishing-resistant authenticators to further enhance security. These types of authenticators are designed to resist phishing attempts and provide additional protection against social engineering attacks.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
• Never trust or open links and attachments received from unknown sources/senders.