Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

P2PInfect (Worm) – Malware

September 5, 2024
Reading Time: 4 mins read
in Malware
P2PInfect (Worm) – Malware

P2PInfect

Type of Malware

Worm

Country of Origin

Unknown

Date of Initial Activity

2023

Associated Groups

Unknown

Motivation

Financial Gain

Attack Vectors

Software Vulnerabilities

Targeted Systems

Windows
Linux

Overview

In the rapidly evolving landscape of cybersecurity threats, the emergence of P2PInfect represents a significant development in the realm of self-replicating malware. Discovered on July 11, 2023, by Unit 42 cloud researchers, P2PInfect is a sophisticated peer-to-peer (P2P) worm coded in Rust, a programming language renowned for its performance and scalability. Unlike traditional malware, P2PInfect capitalizes on the Lua sandbox escape vulnerability, CVE-2022-0543, to infiltrate and propagate through Redis instances—a widely used open-source database application that operates across both Linux and Windows platforms. This worm’s innovative use of a P2P network not only facilitates its spread but also allows for the seamless delivery of additional malicious payloads, marking a new chapter in the way worms can operate and proliferate within cloud environments. P2PInfect stands out for its ability to cross-platform infections, which is achieved through the exploitation of a critical vulnerability that has been linked to significant previous attacks but remains underexplored in this context. The worm’s exploitation of CVE-2022-0543 allows it to gain initial access to Redis instances, after which it establishes a P2P communication channel to a broader botnet. This enables the worm to pull down and deploy various malicious binaries, including OS-specific scripts and scanning tools. The inclusion of features such as “Auto-updating” within the P2P network indicates a well-thought-out design that allows threat actors to continuously enhance and adapt their operations, potentially transforming P2PInfect into a formidable tool for more complex attacks. The use of Rust as the development language for P2PInfect further underscores its advanced nature. Rust’s capabilities for creating robust and efficient code contribute to the worm’s effectiveness in cloud container environments, where traditional malware tactics might falter. P2PInfect’s ability to operate across different operating systems and environments makes it a particularly concerning threat, as it can exploit vulnerabilities in diverse settings. As cybersecurity researchers continue to analyze and monitor this threat, the full extent of P2PInfect’s capabilities and its potential impact on cloud-based infrastructures remain areas of intense scrutiny and concern.

Targets

Information.

How they operate

At its core, P2PInfect employs an innovative method of initial access by exploiting vulnerabilities in public-facing applications. Specifically, it targets Redis instances by taking advantage of the Lua sandbox escape vulnerability (CVE-2022-0543). By executing this exploit, P2PInfect gains unauthorized access to the target systems, allowing it to deploy its payload and establish a foothold within the network. This initial compromise is a critical step, setting the stage for further malicious activities. Once inside the system, P2PInfect uses command-line instructions and scripting to execute its payloads. The malware is designed to execute commands that facilitate its further operation, including setting up persistence mechanisms to ensure it remains active despite system reboots or user logins. This persistence is achieved through boot or logon autostart execution techniques, embedding itself in the system’s startup routines to guarantee its survival. One of the defining characteristics of P2PInfect is its use of a peer-to-peer (P2P) communication model. This allows the malware to coordinate with other compromised systems and manage its operations through a decentralized network. The P2P architecture not only enhances the resilience of the malware by eliminating single points of failure but also enables it to spread across the network by scanning for other vulnerable Redis instances or services. The malware employs various evasion techniques to avoid detection by security solutions. This includes obfuscating its files and information to make analysis more difficult for cybersecurity professionals. Additionally, P2PInfect can escalate privileges through exploitation techniques, though this is secondary to its primary objectives of infection and lateral movement. In terms of lateral movement, P2PInfect leverages its P2P network to propagate and execute on other systems within the compromised environment. This ability to spread horizontally across the network amplifies the malware’s impact and complicates remediation efforts. While P2PInfect may also engage in credential access and data staging, its primary focus remains on maintaining a foothold and expanding its presence within the target network.

MITRE Tactics and Techniques

Initial Access
Exploit Public-Facing Application (T1190): P2PInfect exploits vulnerabilities in Redis instances, leveraging the Lua sandbox escape vulnerability (CVE-2022-0543) to gain initial access.
Execution
Command and Scripting Interpreter (T1059): The malware uses scripts and command-line instructions to execute its payloads and commands.
Persistence
Boot or Logon Autostart Execution (T1547): P2PInfect establishes persistence mechanisms to ensure it remains active even after reboots or logins.
Privilege Escalation
Exploitation for Client Execution (T1203): Exploits vulnerabilities to elevate privileges within the targeted systems, although this may be less directly observed.
Defense Evasion
Obfuscated Files or Information (T1027): The worm employs obfuscation techniques to evade detection by security solutions.
Credential Access
Credentials from Web Browsers (T1555): P2PInfect may collect credentials if it targets systems with web-based access credentials, although this is secondary to its primary functions.
Discovery
Network Service Scanning (T1046): P2PInfect scans for other vulnerable Redis instances or services within the network.
Lateral Movement
Internal Spearphishing (T1534): Although primarily a worm, P2PInfect can leverage its P2P network to spread and execute on other systems within the network.
Command and Control
Peer-to-Peer (T1095): Utilizes a peer-to-peer communication channel to coordinate with other compromised systems and manage its operations.
Exfiltration
Data Staged (T1074): May stage collected data before exfiltration, though this is less emphasized in the worm’s operational model.
Impact
Data Destruction (T1485): Potentially used to corrupt or delete data on infected systems, although this might be part of secondary payloads.
References:
  • P2PInfect: The Rusty Peer-to-Peer Self-Replicating Worm
Tags: cybersecurity threatsLinuxMalwareP2PInfectRedisVulnerabilityWindowsWorm
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

W3LL Phishing Kit Steals Microsoft Logins

Windows 10 Intel BitLocker Bug Fixed

Zoom Phishing Attack Steals Corporate Logins

Mozilla Urgent Firefox Patch Fixes RCE Flaws

ModiLoader Malware Targets Windows Users

Glibc Flaw Gives Linux Root Access Risk

Subscribe to our newsletter

    Latest Incidents

    Belgian mobile customers’ data leaked

    Promises2Kids Data Breach Hits Foster Youth

    RVTools Compromised With a Trojanized Installer

    Massive DDoS Hits Poland’s Civic Platform

    Arla Plant Cyberattack Halts Operations

    Georgia’s Harbin Clinic Hit by Data Breach

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial