Stealthier version of P2Pinfect malware targets MIPS devices

Stealthier version of P2Pinfect malware targets MIPS devices

December 4, 2023 at 05:05PM

New variants of the P2Pinfect botnet target 32-bit MIPS processor devices, exploiting weak credentials and using sophisticated evasion techniques. Initial focus was on Redis servers, but the scope has expanded to include routers and IoT devices globally. Objectives of the malware operators remain unclear.

**Meeting Takeaways: Focus on P2Pinfect Botnet Developments**

1. **Targeting Shift**: P2Pinfect botnet has evolved to infect 32-bit MIPS processor devices, predominantly routers and IoT devices, which employ MIPS due to efficiency and compactness.

2. **Initial Discovery**: Initially found in July 2023 by Palo Alto’s Unit 42 targeting Redis servers through CVE-2022-0543 vulnerability.

3. **Propagation Methods**: Initially, it exploited the Redis replication feature for spread. Recent observations indicate it also propagates through SSH on MIPS devices using weak credentials and exploits an OpenWRT ‘redis-server’ package.

4. **Technical Analysis**: Cado Security dissected the latest variant to be a 32-bit ELF binary with an embedded 64-bit Windows DLL for Redis, allowing shell command execution without debug information.

5. **Evasion Techniques**: The new variant utilizes multiple sophisticated mechanisms for evasion, such as identifying debugging traces, disabling Linux core dumps, and virtual machine detection via the embedded DLL.

6. **Coding Prowess and Intentions**: The botnet’s evolving complexity suggests a high skill level of its developers. However, the definitive motives remain uncertain, with possibilities ranging from cryptocurrency mining, DDoS attacks, traffic proxying, to data theft.

7. **Geographic Impact**: The botnet has spiked in activity, particularly affecting the USA, Germany, the UK, Japan, Singapore, Hong Kong, and China.

8. **Security Measures**: Due to the botnet’s capabilities and resistance to detection and analysis, enhanced security measures, like strong SSH credentials and mitigation against known vulnerabilities, should be prioritized by affected device owners and networks.

Full Article