Why does the worm install mining programs on your devices and leave them for later?
Since August 2023, researchers have recorded a sharp increase in the activity of the P2PInfect worm. This malicious code, which is distributed on a peer-to-peer basis, was first discovered by experts from Unit 42 just a few months ago, in July. It usually targets Redis systems by exploiting remote code execution vulnerabilities on Windows and Linux.
Redis (Remote Dictionary Server) is a tool for working with data in key-value databases, often used as a caching server or message broker.
Cado Security, which also monitors the spread of the botnet, notes that most attacks occur on servers located in China, the United States, Germany, Singapore, Hong Kong, the United Kingdom and Japan.
According to Cado experts, the latest modifications of P2PInfect indicate its continuous development. This allows malicious code to spread even more efficiently among potential victims.
Analysts found that from August 24 to September 3, the number of attacks tripled. The maximum increase in activity was recorded between September 12 and 19 — 3,619 hacking attempts were registered during these days.
Cado also identified a number of technical innovations in P2PInfect that make it resistant to detection:
Despite P2PInfect's recorded attempts to install a mining program on infected devices, no cryptomining activity has been detected so far. This may indicate that the authors of malicious code are either testing new features or using the miner as a demo model for sales.
Since August 2023, researchers have recorded a sharp increase in the activity of the P2PInfect worm. This malicious code, which is distributed on a peer-to-peer basis, was first discovered by experts from Unit 42 just a few months ago, in July. It usually targets Redis systems by exploiting remote code execution vulnerabilities on Windows and Linux.
Redis (Remote Dictionary Server) is a tool for working with data in key-value databases, often used as a caching server or message broker.
Cado Security, which also monitors the spread of the botnet, notes that most attacks occur on servers located in China, the United States, Germany, Singapore, Hong Kong, the United Kingdom and Japan.
According to Cado experts, the latest modifications of P2PInfect indicate its continuous development. This allows malicious code to spread even more efficiently among potential victims.
Analysts found that from August 24 to September 3, the number of attacks tripled. The maximum increase in activity was recorded between September 12 and 19 — 3,619 hacking attempts were registered during these days.
Cado also identified a number of technical innovations in P2PInfect that make it resistant to detection:
- The cron mechanism is integrated, which increases the speed of the program compared to the previous method — bash_logout.
- The updated worm uses additional code (bash-payload) to communicate with the main one via a local server connection.
- Implemented an SSH key to block login attempts by legitimate users.
- If the botnet gets root access, it changes the passwords of all users on the system.
- P2PInfect now has a configuration based on the C programming language structures. It changes dynamically during code execution.
Despite P2PInfect's recorded attempts to install a mining program on infected devices, no cryptomining activity has been detected so far. This may indicate that the authors of malicious code are either testing new features or using the miner as a demo model for sales.
