June 25, 2024 at 06:08AM
P2PInfect, initially a dormant malware botnet, has become active, deploying ransomware and a cryptominer on Redis servers. Cado Security reports conflicting evidence about its motives and identifies new features such as cron-based persistence mechanisms and SSH lockout. The malware also targets 32-bit MIPS processors. It now poses a genuine threat to Redis servers.
From the meeting notes, it is clear that P2PInfect, a previously dormant peer-to-peer malware botnet, has evolved and now poses a significant threat to Redis servers. Cado Security has been extensively tracking the activities of P2PInfect, uncovering a series of developments and modules that indicate its transformation into a serious threat.
The botnet has been observed carrying out ransomware attacks and deploying a cryptominer on infected devices. The ransomware module, named rsagen, encrypts specific file types and appends the ‘.encrypted’ extension to the encrypted files while containing its damage within the privilege level of the compromised Redis user. Additionally, it utilizes a user-mode rootkit to conceal its processes and files from security tools.
Moreover, the botnet’s cryptominer has been activated and has generated approximately 71 XMR (Monero), equivalent to about $10,000. Notably, the cryptominer is configured to use all available processing power, potentially conflicting with the operation of the ransomware module.
Cado Security’s research has raised questions regarding whether P2PInfect is rented to multiple cybercriminals or operated by a core team, with inconclusive evidence supporting both scenarios.
Overall, the key takeaway is that P2PInfect has transitioned from an experiment to a formidable threat to Redis servers, capable of data destruction and profiting from hijacked computational resources.