In the ever-evolving landscape of cyber threats, it’s crucial to stay informed about the latest tactics, techniques, and procedures (TTPs) employed by threat actors. Today, we delve into a new peer-to-peer (P2P) malware, named P2PInfect, discovered by Unit 42 researchers. This self-spreading malware targets Redis instances running on Internet-exposed Windows and Linux systems.
Discovered earlier this month, P2PInfect is a Rust-based worm that exploits the maximum severity CVE-2022-0543 (NVD) Lua sandbox escape vulnerability in Redis servers. While over 307,000 Redis servers have been discovered in the last two weeks, only 934 instances are potentially vulnerable to this malware’s attacks. However, the worm attempts to compromise all targets, regardless of their susceptibility to infection.
The researchers believe the number of P2P nodes is growing due to the volume of potential targets and the worm’s ability to compromise multiple Redis honeypots across disparate regions.
Successful exploitation of the CVE-2022-0543 (NVD) flaw allows the malware to gain remote code execution capabilities on compromised devices. Following its deployment, P2PInfect installs a first malicious payload, creating a peer-to-peer (P2P) communication channel within a broader interconnected system.
After connecting to the P2P network of other infected devices used for auto-propagation, the worm downloads additional malicious binaries, including scanning tools to find other exposed Redis servers. The researchers believe this P2PInfect campaign is the first stage of a potentially more capable attack that leverages this robust P2P command and control (C2) network.
MITRE ATT&CK TTPs
The threat actors used a variety of tactics and techniques that align with the MITRE ATT&CK framework. These include:
- Exploitation for Client Execution (T1203): The threat actors exploit the CVE-2022-0543 (NVD) vulnerability to gain remote code execution capabilities on compromised devices.
- Command and Control Infrastructure (T1583): The malware creates a P2P communication channel within a broader interconnected system for command and control.
Indicators of Compromise (IOCs)
At this time, specific IOCs related to P2PInfect have not been provided. However, the presence of unexpected network traffic related to Redis servers could be a potential sign of compromise.
This activity serves as a reminder of the importance of maintaining up-to-date systems and being aware of the latest threats. Redis server admins, in particular, should ensure that their servers are not exposed online and that they have an access control mechanism enabled.
For more information on this topic, please refer to the original article by BleepingComputer.