P2Pinfect: A Worm-Like Botnet Malware Targeting Redis Deployments

Researchers have identified an unknown group of hackers employing a novel strain of malware named “P2Pinfect” to target publicly-accessible deployments of Redis. This popular data storage tool is extensively used by major companies, including Amazon, Uber, and Hulu.

P2Pinfect demonstrates advanced techniques, including cross-platform compatibility using Rust, sophisticated replication, and a peer-to-peer botnet structure. Notably, what sets this malware apart is its worm-like behavior, enabling it to self-propagate and infect other vulnerable Redis deployments autonomously, thereby expanding its botnet. 

P2Pinfect Targets Linux and Windows by Exploiting the Replication Feature in Redis

Palo Alto’s Unit 42 initially analyzed the hacking campaign, revealing the malware’s exploitation of the critical Lua sandbox escape vulnerability, CVE-2022-0543 (CVSS score: 10.0), to hijack Redis applications and incorporate them into a botnet. This vulnerability was previously used to add devices into Muhstik botnet in 2022. However, the P2Pinfect malware is distinct from Muhstik and appears to belong to a different malicious network, as determined by Unit 42.

Cado Security also issued a report that largely aligns with Unit 42’s findings. Once connected to a host, the malware attempts to infect other hosts, expanding the botnet. Nevertheless, Cado Security identified two significant differences. First, the encountered malware sample did not employ CVE-2022-0543 as the initial access vector, but used the replication feature. Second, P2Pinfect targeted both Windows and Linux Redis instances.

The replication feature enables Redis instances to run in a distributed manner, forming a leader/follower topology where follower nodes exactly replicate the leader. The feature is intended to ensure high availability and data store failover in Redis; however, by exploiting it, the attacker gains access to the target’s Redis deployment. This allows them to load a malicious shared object file (exp.so) and obtain reverse shell access. 

The Distribution of the Botnet Malware

The malware serves a dual purpose: it prevents other threat actors from compromising the Redis server while allowing it to function normally, so the owners remain unaware of the compromise. Once infected, the server becomes part of a peer-to-peer botnet, enabling communication between infected hosts without a centralized control server. The malware spreads further by gathering user information, IP addresses, and SSH access keys. Once it gains access to a host, it infects it by dropping a copy of itself and executing it with a list of nodes as an argument.

The Payloads of P2Pinfect 

The primary payload of P2Pinfect comprises an ELF binary written in C and Rust. This payload is responsible for manipulating the host’s SSH configuration to enable backdoor access while employing iptables to permit legitimate Redis operators and block other threat actors.

Both security firms emphasized that P2Pinfect’s use of the Rust programming language facilitated seamless operation on Windows and Linux platforms while complicating code analysis.

P2Pinfect drops and executes a binary named “bash,” mimicking a legitimate instance of bash. It monitors processes and automatically restarts the main payload if it gets terminated. Additionally, a binary named “miner” is dropped, but it seems to remain inactive. Experts speculate that this file may serve as a placeholder for a future crypto miner, potentially activating once the botnet grows to a specific size.

Despite extensive research, the identity of the perpetrators and their ultimate goal remains unknown.

A Growing Peer-to-Peer Botnet Threat

Cado Security researchers discovered several Redis exploits being used for initial access. The malware conducts internet scans to find vulnerable Redis servers and then replicates itself in a manner similar to a worm. The attackers exploit the replication feature of Redis, which allows them to compromise exposed instances of the data store. This type of attack has been observed since 2018 in other cloud malware campaigns.

Unit 42 identified over 307,000 unique Redis systems communicating publicly in the last two weeks, with about 934 of them possibly being vulnerable to the worm variant. While most systems are not vulnerable, P2Pinfect will likely still attempt to compromise them. The number of infected hosts is growing, but the exact size of the P2Pinfect botnet is unknown. 

Organizations should prioritize securing critical ports by closing, filtering or restricting access to certain source assets either on the asset serving the port or on the perimeter, such as firewalls.

P2Pinfect IoCs (Indicators of Compromise)

How Can SOCRadar Help?

SOCRadar offers continuous monitoring of digital assets, promptly generating alarms for any emerging threats. This proactive approach strengthens overall security and ensures prompt detection of potential exposures or vulnerabilities affecting your assets, including Redis deployments.

You can monitor organizational assets and efficiently manage alarms by using SOCRadar’s Attack Surface Management (ASM) module.