June 27, 2024 at 10:39AM
P2PInfect, a peer-to-peer botnet, has shifted from being dormant to a financially motivated operation, targeting misconfigured Redis servers with ransomware and cryptocurrency miners. It spreads by transforming victim systems into follower nodes and has been updated to target MIPS and ARM architectures. The malware uses a mesh network to push out updated binaries and is suspected to be a botnet-for-hire service. Other threats targeting vulnerable web servers have also been identified.
From the meeting notes, it is clear that the peer-to-peer malware botnet known as P2PInfect has made a transition to become a financially motivated operation. The threat has been found targeting misconfigured Redis servers with ransomware and cryptocurrency miners, and has recently received updates to target MIPS and ARM architectures. It spreads by targeting Redis servers and its replication feature, with the ability to scan the internet for more vulnerable servers.
P2PInfect is a peer-to-peer botnet, forming a large mesh network that the malware author uses to push out updated binaries across the network through a gossip mechanism, making use of every infected machine as a node in the network. It has also been found to drop miner and ransomware payloads, with the ransomware designed to encrypt files matching certain file extensions and deliver a ransom note urging the victims to pay 1 XMR (~$165). Additionally, it employs a new usermode rootkit to hide malicious processes and files from security tools.
The theory that P2PInfect is advertised as a botnet-for-hire service is bolstered by the fact that the wallet addresses for the miner and ransomware are different, and the miner process is configured to take up as much processing power as possible, interfering with the functioning of the ransomware. This operation is suspected to primarily target servers that store ephemeral in-memory data.
Furthermore, it’s revealed that vulnerable web servers with unpatched flaws or poor security are being targeted by suspected Chinese-speaking threat actors to deploy crypto miners. Additionally, botnets such as UNSTABLE, Condi, and Skibidi are abusing legitimate cloud storage and computing services operators to distribute malware payloads and updates to a broad range of devices, making it harder for defenders to disrupt an attack.
These developments highlight the growing sophistication and adaptability of malware threats, emphasizing the importance of proactive cybersecurity measures to mitigate the risks posed by such operations.
Let me know if there is anything else I can assist you with.