Cybersecurity researchers from Cado Security Labs have uncovered a novel variant of the P2PInfect botnet that poses a heightened risk by targeting IoT devices.
The latest P2PInfect variant – compiled for Microprocessor without Interlocked Pipelined Stages (MIPS) architecture – signifies an expansion of the malware’s capabilities, potentially paving the way for widespread infections.
Security researcher Matt Muir highlighted the significance of targeting MIPS, suggesting a deliberate effort by P2PInfect developers to compromise routers and IoT devices.
The P2PInfect malware, initially disclosed in July 2023, is Rust-based and gained notoriety for exploiting a critical Lua sandbox escape vulnerability (CVE-2022-0543, CVSS score: 10.0) to infiltrate unpatched Redis instances.
The latest artefacts are designed to conduct SSH brute-force attacks on devices equipped with 32-bit MIPS processors, employing updated evasion and anti-analysis techniques to remain undetected.
The brute-force attempts against SSH servers involve the use of common username and password pairs embedded within the ELF binary itself. Both SSH and Redis servers are suspected to serve as propagation vectors for the MIPS variant, given the ability to run a Redis server on MIPS using the OpenWrt package known as redis-server.
The malware’s evasion techniques include self-termination when under analysis and an effort to disable Linux core dumps, files generated by the kernel after an unexpected process crash. The MIPS variant incorporates an embedded 64-bit Windows DLL module for Redis that enables the execution of shell commands on compromised systems.
Cado Security emphasises the significance of these developments, stating that the widening scope for P2PInfect – coupled with advanced evasion techniques and the use of Rust for cross-platform development – indicates the involvement of a sophisticated threat actor.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.