Recent media reports have brought to light the P2PInfect malware. The peer-to-peer botnet has been found targeting and exploiting the Redis server’s vulnerability with ransomware and crypto miners. The malware that was once deemed to be dormant and without motive is not being used by threat actors with financial motives.

In this blog, we will dive deep into the P2PInfect malware and comprehend what makes it a threat of paramount concern.

The P2PInfect Malware Uncovered

The P2PInfect malware emerged one year ago and has ever since received continuous updates. The use of the malware was discovered earlier in January when it was seen delivering miner payloads. The P2PInfect malware has been spreading by targeting the Redis server.

It exploits the server’s replication feature, which transforms victims’ systems in a follower node of a server controlled by the threat actor. Another intriguing ability of this peer-to-peer botnet is that it can scan the internet for more vulnerable web servers. In addition, the P2PInfect malware has an SSH password sprayer module.

The module can be used as a part of the attack chain and helps threat actors carry out login attempts using common passwords. Some other key abilities that make the malware a paramount threat include its ability to:

• Keep other cyber criminals from attacking the same server.
• Restarting the SSH service with root permission.
• Allowing threat actors to perform privilege escalation.

P2PInfect Malware: Botnet’s Structure And Expert Insight

Before diving into the expert insight, those keen on cybersecurity must know that a key feature of the malware is its architecture. With this malware, each infected machine acts as a node part of a larger mesh network. This structure facilitates the rapid dissemination of both commands and updates.

Such a structure allows the threat actors to ensure the malware can evade detection without compromising its foothold on the victims’ systems. The botnet has been analyzed by experts due to its severity. Commenting on the P2PInfect malware, Patrick Tiquet, Vice President of Security and Architecture at Keeper Security has stated that:

“The development of P2Pinfect is a typical example of how sophisticated malware develops, often focusing on spreading and establishing a solid foothold within networks during the initial phase, using techniques like exploiting software vulnerabilities or employing password spraying.”

Another expert, Ken Dunham, Cyber Threat Director at Qualys Threat Research Unit, has also stated that:

“It’s essential that cyber threat intelligence (CTI) teams monitor and manage evolving tactics, techniques, and procedures (TTPs) of bad actors for attribution, as well as changes in the threatscape and indicators as to where companies should focus to best reduce risk.”

Conclusion

The recently discovered malware has become a severe emerging threat for internet users worldwide. After its initial discovery in June 2023, the malware was deemed dormant and one without any motives. However, recent active exploits pertaining to it have unearthed that it’s being used for financial gains.

As of now, the P2PInfect malware can escalate privileges, restart SSH servers with root permission, and more. Given this, implementing robust cybersecurity measures has become a necessity as it can improve security posture, reduce exposure to risk, and allow organizations to combat such threats.

The sources for this piece include The Hacker News and HACK READ.

The post P2PInfect Botnet Using Miner And Ransomware Payload appeared first on TuxCare.

*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Wajahat Raja. Read the original post at: https://tuxcare.com/blog/p2pinfect-botnet-using-miner-and-ransomware-payload/