A Linux botnet known as P2PInfect, which was once considered harmless, has recently undergone a significant transformation by introducing malicious and exploitative elements. Initially discovered about a year ago, this botnet used the Redis in-memory database application to propagate across networks in a peer-to-peer manner, gradually building a botnet in its wake. Despite its quiet infiltration into newly infected networks, it did not cause any substantial damage until now.
According to researchers at Cado Security, a recent update has injected new life into P2PInfect infections worldwide, introducing a fresh rootkit, cryptominer, and even ransomware components. Al Carchrie, the R&D lead solutions engineer at Cado Security, expressed surprise at the botnet’s evolution, highlighting the sudden emergence of harmful features that were not present before. The botnet’s previously innocuous nature has now taken a sinister turn, putting organizations at risk of data breaches and financial loss.
Originally targeting misconfigured Redis-integrated servers accessible from the Internet, P2PInfect exploited Redis’ leader-follower topology to spread itself across networks. While researchers had initially speculated about the botnet’s potential to establish command-and-control (C2) operations, its primary purpose remained unclear at the time. However, indications of a mining operation were found in P2PInfect’s code, hinting at future activities that have now come to fruition.
The latest iteration of P2PInfect includes a usermode rootkit and an activated mining binary, allowing the malware to mine approximately 71 Monero coins, equivalent to around £10,000. Additionally, a new ransomware component targets various file types, including .xls, .py, and .sql, although its effectiveness is limited by Linux’s file extension requirements. Given Redis’ primary function of in-memory storage, the ransomware’s attempt to extort data saved on disk raises questions about its functionality.
As P2PInfect infections appear to be concentrated in East Asia, organizations using Redis globally are advised to enhance their server security measures to mitigate external threats. With over four billion Docker pulls for its open-source version and nearly 10,000 organizations using its Enterprise product, Redis is a popular choice among businesses worldwide. Therefore, maintaining strict access controls, utilizing firewalls, and implementing proper server configurations are essential for safeguarding against malicious attacks like P2PInfect.
Al Carchrie emphasizes the importance of monitoring server activity for signs of malware activity, particularly with the heightened cryptomining and ransomware activities associated with P2PInfect. By detecting abnormal CPU and disk utilization patterns, organizations can identify and address potential infections before significant damage occurs. In light of these developments, vigilance and proactive security measures are crucial in defending against evolving cyber threats like P2PInfect.