New P2Pinfect botnet malware targets Redis servers

New P2Pinfect botnet malware targets Redis servers

A novel strain of malware has been observed targeting susceptible Redis servers to ensnare them into a botnet.

Dubbed “P2Pinfect” by its developers, the malware is a peer-to-peer self-replicating worm that comes in versions for both Windows and Linux.

The P2Pinfect malware was initially detailed by researchers at Palo Alto Networks’ Unit 42, who discovered it exploited CVE-2022-0543, a LUA sandbox escape vulnerability present in certain versions of Redis.

The worm uses a number of known Redis exploitation methods for initial access, according to researchers with Cado Security. In the observed attack, a threat actor breached Cado’s honeypot infrastructure by exploiting the replication feature in Redis.

“A common attack pattern against Redis in cloud environments is to exploit this feature using a malicious instance to enable replication. This is achieved via connecting to an exposed Redis instance and issuing the SLAVEOF command,” the researchers wrote in a technical report.

The primary payload is an ELF file written in a combination of C and Rust using Rust’s foreign function interface (FFI) library. Upon execution, the binary updates the SSH configuration of the host “to a near default state” allowing the attacker to connect to the server via SSH and enable password authentication.

“P2Pinfect is well-designed and utilizes sophisticated techniques for replication and C2. The choice of using Rust also allows for easier portability of code across platforms (with the Windows and Linux binaries sharing a lot of the same code), while also making static analysis of the code significantly harder. This is due to the complexity of Rust itself, the inclusion of C code due to the Foreign Function Interface feature, and the lack of tooling available for analysis,” the researchers concluded.


Back to the list

Latest Posts

Cyber Security Week in Review: May 9, 2025

Cyber Security Week in Review: May 9, 2025

In brief: SAP zero-day exploited by Chinese hackers, SonicWall patches bugs in its SMA appliances, and more.
9 May 2025
Russia-linked Coldriver hackers deploy new espionage malware in targeted attacks

Russia-linked Coldriver hackers deploy new espionage malware in targeted attacks

LOSTKEYS is designed to steal sensitive files, harvest system information, and exfiltrate details about running processes.
8 May 2025
Russia-aligned operation manipulates audio and images to impersonate experts

Russia-aligned operation manipulates audio and images to impersonate experts

The operation primarily focused on undermining NATO support for Ukraine and spreading false narratives to disrupt domestic politics in EU member states.
7 May 2025