Security researchers are warning about a new and dangerous twist with the P2PInfect malware. This malware, written in Rust, can infect cloud systems and was previously dormant. Now, it’s been updated to deploy ransomware and cryptominer programs on infected devices.
P2PInfect spreads by exploiting a weakness in a popular database program called Redis. This vulnerability (CVE-2022-0543) was identified in 2022, but many systems may be still unpatched.
Researchers at Cado Security revealed in a June 25 blog post that P2PInfect has evolved, adding cryptominer, ransomware, and rootkit capabilities. This sophisticated evolution exemplifies how advanced malware operates: initially spreading by exploiting vulnerabilities or employing password spraying, then establishing a foothold in networks, explained Patrick Tiquet of Keeper Security.
First identified in July 2023 by Palo Alto Networks’ Unit 42, P2PInfect targets vulnerable Redis instances, exploiting the Lua sandbox escape vulnerability. Its peer-to-peer nature allows it to spread across platforms, forming a resilient botnet.
“The goal at this stage is to create a network of infected devices, avoiding detection by standard antivirus products,” Tiquet noted. “Once a significant number of devices are compromised, the malware can be updated with more destructive features.”
Ken Dunham of Qualys highlighted the worm’s unique resiliency, targeting weakly defended SSH accounts. “Stealth for survival matters to adversaries. They aim to maintain their foothold within networks,” Dunham emphasized.
As P2PInfect stealthily spreads, it underscores the need for robust cybersecurity measures. Regular audits, threat monitoring, and proactive defenses are crucial to combating such evolving threats and ensuring network integrity.
