The P2PInfect botnet has experienced a remarkable surge in activity, with a 600-fold increase in access attempts during September 2023, indicating a period of heightened code stability and expansion. This peer-to-peer malware initially identified by Unit 42 in July 2023 is known for exploiting Redis instances using a remote code execution vulnerability on exposed Windows and Linux systems.
Cado Security researchers, tracking the botnet since late July 2023, have observed global activity, impacting systems primarily in China, the United States, Germany, Singapore, Hong Kong, the UK, and Japan. Moreover, the latest P2PInfect samples feature enhancements that bolster its ability to infect targets and highlight ongoing malware development efforts.
Furthermore, the surge in P2PInfect botnet activity has coincided with a proliferation of variants in the wild, indicating that the malware’s developers are rapidly evolving their tactics.
Researchers have noted a steady rise in initial access attempts, peaking at 3,619 access attempts during a single week in September 2023. To make matters worse, the latest samples of P2PInfect exhibit new capabilities that make it a stealthier and more formidable threat.
These include a cron-based persistence mechanism, SSH key usage to block legitimate users, and even root access to lock other users out by changing their passwords.
Despite the increase in activity and evolving features, the ultimate goals of P2PInfect remain unclear. Recent variants have attempted to fetch a miner payload, but no actual cryptocurrency mining activity has been observed on compromised devices.
This uncertainty leaves room for speculation, with the botnet’s operators possibly fine-tuning their operations or looking for potential subscribers to P2PInfect.
Given its expanding size, self-updating capabilities, and fast-paced growth, P2PInfect poses a substantial and evolving threat that demands continued vigilance.