P2PInfect is a new cloud-targeting, peer-to-peer (P2P) worm recently discovered by cybersecurity researchers, that targets vulnerable Redis instances for follow-on exploitation.
Researchers William Gamazo and Nathaniel Quist said that P2PInfect exploits Redis servers running on both Linux and Windows OS, making it more scalable and potent than other worms.
Details on P2PInfect
It is estimated that as many as 934 unique Redis systems may be vulnerable to the threat. The first known instance of P2PInfect was detected on July 11, 2023.
The worm has a notable trait in that it can spread to vulnerable Redis instances by using the critical Lua sandbox escape vulnerability, CVE-2022-0543 (CVSS score: 10.0), which has been used in the past to spread malware families like Muhstik, Redigo, and HeadCrab.
In order to obtain additional malicious binaries, such as scanning software for spreading the malware to other exposed Redis and SSH hosts, the initial access provided by successful exploitation is then used to deliver a dropper payload that establishes peer-to-peer (P2P) communication to a larger P2P network.
In order to establish and sustain contact between the compromised computer and the P2P network and grant threat actors persistent access, the virus additionally makes use of a PowerShell script. Additionally, P2PInfect for Windows has a Monitor component that enables self-updating and launching of the latest version.
It is not immediately known what the exact goal of the campaign is for now, with security researchers noting that there is no clear evidence of cryptojacking despite the presence of the word “miner” in the toolkit’s source code. Currently, no known threat actor groups have been linked to the behavior.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.