P2PInfect, initially a dormant peer-to-peer malware botnet, has recently become active by deploying both ransomware and a cryptominer in attacks specifically targeting Redis servers. Tracked by Cado Security, P2PInfect appears to function as a “botnet for hire,” though definitive conclusions about its operators remain elusive. The malware was first documented in mid-2023 and primarily exploits vulnerabilities in Redis servers using replication features to propagate.
By December 2023, P2PInfect evolved with a variant targeting MIPS processors found in IoT devices and routers. Its latest iteration, observed from May 16, 2024, includes a command to download and execute ransomware, alongside activating a Monero cryptominer. This dual-threat approach encrypts targeted files and hijacks system resources for monetary gain. Moreover, the malware incorporates a user-mode rootkit to conceal its processes and operations from security tools, complicating detection and mitigation efforts.
Cado Security’s ongoing investigation underscores P2PInfect’s transformation from an experimental entity to a significant menace, capable of inflicting substantial damage and financial loss. Its ability to exploit Redis vulnerabilities and evade detection highlights the evolving sophistication of modern cyber threats. Organizations utilizing Redis servers are advised to update their security measures and monitor for suspicious activity to mitigate potential risks posed by P2PInfect and similar malware threats.
Reference:
