P2PInfect is a new P2P worm that is actively targeting the Redis servers on Linux and Windows OS, making it highly scalable and powerful compared to others.
While not all Redis instances are vulnerable, they should still anticipate compromise attempts from this new P2P worm variant.
Palo Alto Networks Unit 42 researchers discovered this new cross-platform, Rust-based P2P worm that is actively targeting Redis, especially the cloud containers.
Flaw Exploited
While the P2PInfect P2P worm targets the Redis instances using CVE-2022-0543 vulnerability. Unit 42 found more than 307,000 Redis systems in public communication, with 934 possibly vulnerable to this P2P worm.
CVE-2022-0543, a Lua sandbox escape vulnerability disclosed in 2022, has a Critical CVSS score of 10.0. Its full scope is unknown, but P2PInfect exploits Redis on Linux and Windows, increasing its strength.
P2PInfect uses CVE-2022-0543 for entry and sets up P2P communication to a larger network. It fetches more malicious binaries (scripts, scanning tools), joining the P2P network to infect future Redis servers.
Unit 42 suspects P2PInfect is an initial stage of a potent attack with a robust P2P C2 network, as the toolkit mentions “miner,” but no cryptomining evidence was found.
While besides this, the “Auto-updating” mode of the network enables the pushing of new payloads to enhance malicious operations.
The vulnerability was exploited in past attacks (Muhstik, Redigo), causing DoS and brute-forcing. P2PInfect follows a similar pattern but differs significantly in post-exploit operations.
Self-replicating P2P Worm
On July 11, 2023, Unit 42 found the initial P2PInfect instance via HoneyCloud, their cloud-based honeypot detecting system.
Apart from this, for transmitting binaries that are malicious the P2PInfect utilizes a P2P network and it also named them after the project structure symbol of the author.
Artifacts of the Windows version, names and Redis module (Source – Unit42)
P2PInfect exploits CVE-2022-0543, establishing P2P communication for delivering payloads in cloud containers. It adapts to container environments, covering vulnerable scenarios, unlike worms using cron services for RCE.
Technical Analysis
In Windows, P2PInfect has a Monitor process (in C:\Users\username\AppData\Local\Temp\cmd.exe) that ensures its running functionality on the infected host.
Once initiated, the Monitor (cmd.exe) of P2PInfect downloads new versions from the P2P network, persisting them with random names in the original folder, and drops an encrypted configuration (.conf).
Certain initial payload P2PInfect samples were UPX-packed, whereas the second-stage malware (miner and winminer) were not UPX-packed.
Experts advise monitoring Redis apps in on-premises and the cloud, ensuring no random filenames in /tmp. DevOps should continually supervise instances for legitimate operations and network access.
Moreover, they also urged to keep all the Redis instances updated with the available latest versions, which will help in mitigating this worm.