A novel strain of malware has been observed targeting susceptible Redis servers to ensnare them into a botnet.
Dubbed “P2Pinfect” by its developers, the malware is a peer-to-peer self-replicating worm that comes in versions for both Windows and Linux.
The P2Pinfect malware was initially detailed by researchers at Palo Alto Networks’ Unit 42, who discovered it exploited CVE-2022-0543, a LUA sandbox escape vulnerability present in certain versions of Redis.
The worm uses a number of known Redis exploitation methods for initial access, according to researchers with Cado Security. In the observed attack, a threat actor breached Cado’s honeypot infrastructure by exploiting the replication feature in Redis.
“A common attack pattern against Redis in cloud environments is to exploit this feature using a malicious instance to enable replication. This is achieved via connecting to an exposed Redis instance and issuing the SLAVEOF command,” the researchers wrote in a technical report.
The primary payload is an ELF file written in a combination of C and Rust using Rust’s foreign function interface (FFI) library. Upon execution, the binary updates the SSH configuration of the host “to a near default state” allowing the attacker to connect to the server via SSH and enable password authentication.
“P2Pinfect is well-designed and utilizes sophisticated techniques for replication and C2. The choice of using Rust also allows for easier portability of code across platforms (with the Windows and Linux binaries sharing a lot of the same code), while also making static analysis of the code significantly harder. This is due to the complexity of Rust itself, the inclusion of C code due to the Foreign Function Interface feature, and the lack of tooling available for analysis,” the researchers concluded.
