Cybersecurity experts at Cado Security Labs have recently identified a new version of the P2PInfect botnet, which presents an increased threat by focusing on IoT devices.
This new variant of P2PInfect, built for the MIPS (Microprocessor without Interlocked Pipelined Stages) architecture, marks a notable expansion in the malware’s capabilities, potentially leading to broader infections.
Matt Muir, a security researcher, underscored the importance of the MIPS target, suggesting a strategic move by the creators of P2PInfect to infiltrate routers and IoT devices.
First reported in July 2023, the P2PInfect malware, which is Rust-based, became infamous for exploiting a severe Lua sandbox escape flaw (CVE-2022-0543, CVSS score: 10.0), breaching unsecured Redis instances.
The latest versions are crafted to launch SSH brute-force attacks on devices with 32-bit MIPS processors, using enhanced methods to evade detection and resist analysis.
These brute-force attacks on SSH servers utilise commonly found username and password combinations, embedded in the ELF binary. The malware appears to use both SSH and Redis servers as means of spreading, especially given the compatibility of running a Redis server on MIPS through the OpenWrt’s redis-server package.
The evasion tactics of the malware include self-destruction during analysis and efforts to disable Linux core dumps, which are files produced by the kernel following an unexpected crash of a process. Additionally, the MIPS variant contains a 64-bit Windows DLL module for Redis, enabling the execution of shell commands on affected systems.
Cado Security has highlighted the significance of these developments. The increased range of P2PInfect, combined with sophisticated evasion methods and Rust’s cross-platform capabilities, points to the involvement of a highly skilled threat actor.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.