In recent times, the P2PInfect botnet worm has witnessed an unexpected surge in its activity levels, initially noted at the end of August and once again intensifying in September 2023.

This botnet was initially recognized by Unit 42 in July 2023 as a peer-to-peer malware that targets Redis instances by exploiting a remote code execution vulnerability found in both Windows and Linux systems that are exposed to the internet.

Cado Security, having monitored the botnet from late July 2023, disclosed that this escalation in activity has a worldwide reach. A significant number of compromised systems were found in countries like China, the United States, Germany, Singapore, Hong Kong, the UK, and Japan.

Cado further shared that the new versions of P2PInfect have undergone various modifications and enhancements. These changes not only boost its capability to infiltrate more targets but also highlight the malware’s ongoing evolution.

Surge in Botnet Movements

Cado’s observations reflect that the P2PInfect botnet has entered a phase characterized by enhanced code reliability, fueling its aggressive operations. The number of initial access attempts by P2PInfect on Cado’s decoy systems (honeypots) has seen a consistent rise, with 4,064 events recorded from just one sensor by August 24, 2023.

By the onset of September, particularly on September 3, the initial access numbers had grown by threefold, albeit from a modest base. However, a stark uptick was observed between September 12th and 19th, 2023, when Cado recorded an overwhelming 3,619 access attempts, translating to an exponential 600-fold growth.

Cado attributes this intensified P2PInfect traffic to the proliferation of its different versions in the digital environment, which indicates a heightened pace of development by its creators.

Introducing Advanced P2PInfect Features

Cado’s investigation uncovered newer versions of P2PInfect that appear even more discreet and dangerous than before. To start with, its creators have introduced a cron-based persistence mechanism, abandoning the former ‘bash_logout’ method, which activates the main malware content every half-hour.

P2PInfect has also adopted a secondary bash payload, establishing communication with the primary payload through a local server socket. If for any reason the main process halts or is removed, the system retrieves a backup from an associate and recommences it.

Another significant modification includes the malware’s ability to utilize an SSH key, which replaces any authorized SSH keys on the compromised system. This move obstructs genuine users from accessing via SSH. And in scenarios where the malware gains root privileges, it modifies passwords for other users, using an auto-generated 10-character code, effectively barring their access.

Lastly, P2PInfect has now incorporated a dynamic C struct configuration for its client in the memory, unlike its past versions that lacked a configuration document.

Ambiguous Objectives

Although Cado observed P2PInfect variants attempting to download a miner payload, no evident cryptomining activities on the affected devices were detected. This leaves open the possibility that the operators behind the malware are in a phase of experimentation regarding their ultimate motive.

It’s feasible that the operators are refining the miner module or potentially seeking clientele interested in P2PInfect subscriptions. In such a case, the miner could merely serve as a prototype for display purposes.

Considering its current magnitude, dispersion, ability to self-update, and its rapid growth, it’s evident that P2PInfect is a significant cyber threat that warrants close monitoring.