Cybersecurity researchers have recently identified a novel variant of the emerging P2PInfect botnet, capable of targeting routers and IoT devices. Cado Security Labs reports that the latest version of this malware is specifically compiled for Microprocessor without Interlocked Pipelined Stages (MIPS) architecture, expanding its capabilities and potential impact. Security researcher Matt Muir suggests that the focus on MIPS indicates a deliberate effort by P2PInfect developers to infect routers and IoT devices with the malware.
P2PInfect, initially disclosed in July 2023 as a Rust-based malware, initially targeted unpatched Redis instances by exploiting a critical Lua sandbox escape vulnerability (CVE-2022-0543, CVSS score: 10.0) to gain initial access. Subsequent analysis by a cloud security firm in September revealed increased P2PInfect activity, coinciding with the release of iterative variants of the malware.
The latest artifacts from P2PInfect not only attempt SSH brute-force attacks on embedded devices with 32-bit MIPS processors but also incorporate updated evasion and anti-analysis techniques to operate discreetly. During the scanning phase, brute-force attempts against SSH servers were observed, utilizing common username and password pairs present within the ELF binary itself. It is suspected that both SSH and Redis servers serve as propagation vectors for the MIPS variant, considering the possibility of running a Redis server on MIPS using the OpenWrt package known as redis-server.
The malware employs notable evasion methods, including a check to determine if it is under analysis, terminating itself if detected, and an attempt to disable Linux core dumps generated after a process crashes unexpectedly. Additionally, the MIPS variant features an embedded 64-bit Windows DLL module for Redis, enabling the execution of shell commands on compromised systems.
Cado underscores the significance of these developments, emphasizing the widening scope for P2PInfect developers with support for more processor architectures, resulting in a larger botnet. The incorporation of Rust for cross-platform development and the rapid growth of the botnet reinforce the belief that this campaign is orchestrated by a sophisticated threat actor.
Key Features of the MIPS Variant
- Targeting MIPS Devices: The new variant targets devices with 32-bit MIPS processors, such as routers and IoT devices, which are prevalent in embedded systems like routers, residential gateways, and video game consoles.
- SSH Brute-Force Attacks: The malware attempts to upload the MIPS binary via SFTP and SCP, and also uses weak credentials to try SSH brute-force attacks on devices.
- Redis Server on MIPS Devices: The researchers spotted attempts to run the Redis server on MIPS devices through an OpenWRT package named ‘redis-server’.
- Embedded 64-bit Windows DLL Module: The new P2Pinfect is a 32-bit ELF binary with no debug information and an embedded 64-bit Windows DLL, which acts as a loadable module for Redis to enable shell command execution on the host.
- Evasion Mechanisms: The newest variant implements sophisticated and multifaceted evasion mechanisms, making its detection and analysis more challenging.
Impact and Prevalence
P2Pinfect has been reported in countries such as China, the United States, Germany, the United Kingdom, Singapore, Hong Kong, and Japan. The malware’s growth and the increasing number of variants detected in the wild suggest that the authors are actively improving their bot.
To protect against this threat, it is essential to keep devices updated, use strong credentials, and implement robust security measures.