Recent reports from cybersecurity experts have indicated the emergence of a sophisticated variant of the P2PInfect botnet, which has shown the ability to target both routers and Internet of Things (IoT) devices. This new iteration has been identified by Cado Security Labs as specifically tailored for Microprocessor without Interlocked Pipelined Stages (MIPS) architecture, significantly enhancing its operational capabilities.
According to security researcher Matt Muir, the developers behind P2PInfect appear to be focusing on MIPS architecture to widen their attack surface, particularly aiming at infecting routers and IoT devices. This could represent a strategic shift, indicating an intent to expand the botnet’s reach into ubiquitous networked devices.
P2PInfect, which is based on Rust programming language, initially gained attention in July 2023 when it started targeting unpatched Redis instances by exploiting a high-severity Lua sandbox escape vulnerability (CVE-2022-0543, CVSS score: 10.0). This vulnerability serves as the entry point for the malware, emphasizing the ongoing exploitation of critical flaws in software that organizations frequently underestimate.
Subsequent analysis conducted by Cado Security Labs in September unveiled a marked increase in P2PInfect activity, coinciding with the rollout of several iterative malware variants. These new strains not only attempt SSH brute-force attacks on devices equipped with 32-bit MIPS processors but also incorporate advanced evasion strategies to elude detection.
The brute-force SSH attacks involve the use of common username-password combinations embedded within the ELF binary of the malware. This facilitates an automated and potentially widespread compromise of devices connected to the Internet.
Moreover, the suspicion surrounding the role of SSH and Redis servers as propagation vectors is bolstered by the fact that Redis can be operated on MIPS using an OpenWrt package, further expanding the network of vulnerable targets. The adaptation of the P2PInfect variant to MIPS architecture suggests that the threat actors are actively seeking new opportunities for exploitation within the ecosystem of networked devices.
Among the notable evasion techniques employed by the botnet is a self-check mechanism to detect if it is under analysis. If affirmative, the malware will terminate itself to avoid detection. Additionally, it tries to disable Linux core dumps, which are generated post-crash, thereby reducing forensic traces left on compromised systems.
This MIPS variant has also integrated a 64-bit Windows DLL module for Redis, enabling the execution of shell commands on compromised systems, further amplifying the severity of the threat.
The development of this malware variant represents a significant escalation by the threat actors behind P2PInfect, highlighting a broader scope in targeting diverse processor architectures. This evolution, combined with the malware’s use of Rust—facilitating cross-platform compatibility—underscores the capability of sophisticated threat actors in orchestrating such campaigns. The growing botnet reinforces the necessity for robust cybersecurity measures to defend against increasingly complex and targeted cyber threats.
