The malicious botnet P2PinFect has recently shifted its focus to attacking incorrectly configured REDIS servers by installing extortion software and crypto-miners. This change in behavior indicates a shift from a dormant state to a financially motivated operation.
A recent analysis by CADOSecurity has revealed new elements of crypto-miner, extortion software, and Rutkin added to the latest updates of the P2PinFect botnet. The authors of P2PinFect appear to be seeking financial gains through illegal access to systems and network expansion.
The P2PinFect botnet was initially discovered in July 2023 and has since been updated to support MIPS and ARM architectures. Recent updates have enabled P2PinFect to deliver crypto-mining payloads. The botnet spreads by targeting REDIS servers and utilizing their replication function to convert infected systems into subordinate nodes controlled by an attacking server.
P2PinFect malware, written in the programming language RUST, can scan the internet for vulnerable servers and contains an SSH module for password spraying to enter systems using common passwords. The botnet also takes measures to prevent attacks from other threat actors by changing user passwords, restoring SSH service with ROOT laws, and increasing privileges.
Each infected computer within the P2PinFect network acts as a node, maintaining communication with several other nodes to create a vast network structure that facilitates rapid spread of updates. Recent functional changes in P2PinFect include the installation of extortion software that encrypts files with specific extensions and demands a ransom of 1 XMR (approximately $167). A new user level has also been introduced to hide harmful processes and files from security tools using the LD_PRELOAD environment.
There are suspicions that P2PinFect may be advertised as a Botnet-for-Hire service, allowing other cybercriminals to deploy their malicious payloads in exchange for payment. This is supported by the fact that the wallet addresses for mining and extortion are different, and the mining process is optimized for maximum use of computing resources, which could interfere with the extortion software’s operation.
The choice to use extortion software for attacks on REDIS servers, which primarily store temporary data in memory, may seem surprising. P2PinFect is likely to see more profits from crypto-mining as access to valuable files is restricted due to privilege levels. The addition of a new user level may be a strategic move, although if initial access is gained through REDIS, Rutkit