P2PInfect: Self-Replicating Worm Hits Redis Instances

Known as ‘P2PInfect,’ the worm exploits a critical vulnerability to infiltrate Redis instances and assimilates them into a larger P2P network, enabling it to spread rapidly.
P2PInfect: Self-Replicating Worm Hits Redis Instances

The worm exploits a sandbox escape vulnerability in the Lua Library, which has received a maximum severity score of 10.0 on the CVSSv3 severity scale.

Security experts have issued a warning about a highly sophisticated peer-to-peer (P2P) worm, written in Rust, that is specifically targeting instances of the popular open-source database software Redis.

Known as ‘P2PInfect,’ the worm exploits a critical vulnerability to infiltrate Redis instances and assimilates them into a larger P2P network, enabling it to spread rapidly.

Researchers from Unit 42, Palo Alto Networks’ cloud research team, identified the worm and named it after a term found in leaked symbols within its code. The worm exploits CVE-2022-0543, a sandbox escape vulnerability in the Lua Library, which has received a maximum severity score of 10.0 on the CVSSv3 severity scale, indicating its significant threat potential.

P2PInfect: Self-Replicating Worm Hits Redis Instances
Screenshot shared by researchers shows P2PInfect appears in the leaked symbols

P2PInfect establishes its foothold in cloud container environments, making it stand out from other worms targeting Redis, such as the cryptojacking malware operated by Adept Libra (aka TeamTnT), Thief Libra (aka WatchDog).

Once inside a Redis instance, the worm executes a Powershell script that alters local firewall settings, preventing the infected Redis instance from being accessed by legitimate owners while granting the worm operators unrestricted access.

One of the worm’s sophisticated techniques for persistence involves a process named ‘Monitor,’ stored in the Temp folder within a user’s AppData directory. This process downloads multiple randomly named P2PInfect executables alongside an encrypted configuration file, ensuring its long-term presence on infected systems.

Researchers have observed that the worm establishes a P2P connection via port 60100 to a large command and control (C2) botnet. While samples downloaded from the C2 include files labelled ‘miner’ and ‘winminer,’ there is no evidence yet of P2PInfect engaging in cryptomining using infected instances.

Experts speculate that the worm might be laying the groundwork for future campaigns, potentially involving mining activities using the botnet.

According to Unit 42’s blog post, the company discovered P2PInfect on July 11th using its HoneyCloud platform, a diverse array of honeypots designed to attract and analyze public cloud threats. The worm’s rapid spread has been noted, with 934 out of 307,000 publicly-communicating Redis instances identified as vulnerable.

The unique use of Rust programming language by P2PInfect raises concerns among cybersecurity experts, as many ransomware groups have also shifted to Rust due to benefits such as faster encryption and evading common detection methods.

As the threat landscape continues to evolve, researchers are closely monitoring the worm’s behaviour, including the possibility of new behaviours and features being added to P2PInfect in the future.

While Rust offers numerous advantages beyond its use in malware, its adoption in sophisticated worms like P2PInfect highlights the importance of constant vigilance and proactive security measures in the face of ever-evolving cyber threats. Organizations and individuals are urged to update their Redis instances and implement robust cybersecurity practices to safeguard against potential attacks.

In the wake of this discovery, the cybersecurity community must remain vigilant and proactive in safeguarding critical systems and data against emerging threats like P2PInfect and other advanced malware strains.

  1. 10 Application Security Best Practices To Follow
  2. Thousands of GitHub Repositories Cloned in Supply Chain Attack
  3. VirusTotal Data Leak Exposes User Info, Including Intel Agencies’ Data
  4. Threat actors hijacking Bitbucket and Docker Hub for Monero mining
  5. LemonDuck Cryptomining Botnet Hunting for Misconfigured Docker APIs
Total
0
Shares
Related Posts