Malware that spreads via Redis now capable of deploying ransomware

P2Pinfect now able to deploy ransomware and crypto miner payloads.

A highly scalable peer-to-peer malware that spreads by exploiting Redis, is now capable of deploying ransomware.

P2Pinfect is a sophisticated strain of malware written in Rust. The first strains of the worm were first observed in July 2023.

Cado Security noted that in early samples, it exploited Redis for initial access into cloud environments; exploiting the data store's replication feature or abusing CVE-2022-0543 a CVSS 10 bug in the LUA scripting language.

How does the malware abuse Redis?

As Cado Security noted in 2o23, the botnet has been seen abusing Redis's replication feature. As it explained at the time: "Replication allows instances of Redis to be run in a distributed manner, in what’s referred to as a leader/follower topology. This allows follower nodes to act as exact replicas of the leader, providing high availability and failover for the data store. 

"A common attack pattern against Redis in cloud environments is to exploit this feature using a malicious instance to enable replication. This is achieved via connecting to an exposed Redis instance and issuing the SLAVEOF command. Once replication is complete, the attacker can load a malicious module (a Linux shared object file) which extends the functionality of Redis itself. This initial access vector was first demonstrated in 2018 and has been used in a number of high-profile cloud malware campaigns since - including H2miner and, more recently, Headcrab.

Separately, Unit42 has seen P2PInfect exploiting CVE-2022-0543 for initial access and then dropping "an initial payload that establishes P2P communication to a larger P2P network. Once the P2P connection is established, the worm pulls down additional malicious binaries such as OS-specific scripts and scanning software. The infected instance then joins the P2P network to provide access to the other payloads to future compromised Redis instances."

(Redis is an open source memory data source, often used for caching web pages and reducing load on servers.)

While the worm was initially dormant, with the only goal of spreading and replicating, security researchers at Cado have now discovered an update that allows it to deploy ransomware and crypto miner payloads on to cloud environments.

In order to access more devices, P2Pinfect also targets embedded devices based on 32-bit MIPS processors, and attempts to force SSH access to these devices. This could potentially allow the worm's developers to infect routers and IoT devices with malware, Cado Security said.

One of its main features is a botnet- where every infected machine acts as a node in the network, and maintains a connection to several other nodes. It allows the author to push out updated binaries across the network.

A recent update shows that P2Pinfect's main binary has undergone a rewrite. Now, upon joining the botnet, the worm receives a command to download and run a new binary called rsagen, which is a ransomware payload. It then immediately begins an encryption process, locking the compromised data.

(source: Cado Security)

According to the ransom note discovered by researchers, the malware's authors are dealing in Monero, a cryptocurrency. The rewrite has also activated a miner payload within the botnet – mining for Monero.

The malware authors have also recently added a range of evasion techniques, Cado's researchers found; for example the recent sample they analysed attempts to disable Linux core dumps "as an anti-forensics procedure as the memory regions written to disk as part of the core dump can often contain internal information about the malware itself."

Despite its evolution and sophistication the malware's mining wallet has also made only an estimated 71 Monero, implying limited deployment. Indicators of compromise for the malware can be found here.

See also: Microsoft updates mitigation for critical “wormable” bug

Get the latest episodes directly in your inbox