Cyber Security Threat Summary:
“Palo Alto Networks Unit 42 researchers have discovered a new peer-to-peer (P2P) worm called P2PInfect that targets Redis servers running on both Linux and Windows systems. The capability to target Redis servers running on both Linux and Windows operating systems makes P2PInfect more scalable and potent than other worms” (Security Affairs, 2023).

The worm is written in Rust, and has been exploiting CVE-2022-0542 a Lua sandbox escape vulnerability in Redis instances. This vulnerability is also actively exploited by the Muhstik and Redigo botnets.

This latest malware exploits CVE-2022-0543 for initial access, drops an initial payload, and then establishes P2P communication to the P2P network. The researchers identified over 307,000 unique public Redis systems over the last two weeks, of which 934 may be vulnerable to this worm.

The researchers note that the goal of the threat actors behind the botnet is still unclear. There were some instances of the word “miner” being users, but Unit 42 found no evidence of crytocurrency mining operations.

Security Officer Comments:
After the worm connects to the P2P network, it downloads additional payloads. TrendMicro discovered P2PInfect in July 2023, using their HoneyCloud honeypot environment which they use to identify and study novel cloud-based attacks across public environments.

The P2PInfect worm uses a P2P network to support and facilitate the transmission of malicious binaries. The malware uses a PowerShell script to establish and maintain communication with the P2P network. The PowerShell script uses the following encode command to obfuscate the communication initiation: “The P2PInfect worm appears to be well designed with several modern development choices. Key among these is the use of the Rust language, which provides resilient capabilities and the flexibility to allow the worm to rapidly spread across multiple operating systems.” concludes the experts. “The design and building of a P2P network to perform the auto-propagation of malware is not something commonly seen within the cloud targeting or cryptojacking threat landscape. At the same time, we believe it was purpose-built to compromise and support as many Redis vulnerable instances as possible across multiple platforms” (Palo Alto, 2023).

Suggested Correction(s):
Organizations are recommended to monitor all Redis applications, both on-premises and within cloud environments, to ensure they do not contain random filenames within the /tmp directory.

Link(s):
https://unit42.paloaltonetworks.com/peer-to-peer-worm-p2pinfect/ https://securityaffairs.com/148636/