An updated variant of the cloud-based and Rust-based malware known as P2PInfect is now distributing ransomware and cryptominer payloads. Previously, this malware was relatively benign, slowly spreading across cloud instances and targeting unpatched instances of the 2022 sandbox escape vulnerability CVE-2022-0543.
In a June 25 blog post, Cado Security researchers revealed that P2PInfect initially spread primarily via Redis and a limited SSH spreader. Now, the malware has been enhanced with cryptominer, ransomware payloads, and rootkit functionality.
Patrick Tiquet, vice president of security and architecture at Keeper Security, explained that the evolution of P2Pinfect is a typical example of how sophisticated malware develops. Initially, it focuses on spreading and establishing a solid foothold within networks, using techniques like exploiting software vulnerabilities or employing password spraying.
In a July 2023 research post, Palo Alto Networks’ Unit 42 described P2PInfect as a new peer-to-peer (P2P) worm capable of cross-platform infections, targeting Redis, a popular open-source database application heavily used within cloud environments. The worm infects vulnerable Redis instances by exploiting the Lua sandbox escape vulnerability, CVE-2022-0543.
Cado Security labs have recently observed a new update to P2Pinfect that introduces a ransomware and crypto miner payload.
Learn more in our latest blog post: https://t.co/Yvtp5hQzfb
— Cado (@CadoSecurity) June 25, 2024
Tiquet noted that the current goal of the malware is to create a network of infected devices, forming a botnet that can be used for various malicious purposes. This slow build allows the malware to avoid detection by standard, signature-based antivirus products, enhancing its persistence and longevity within systems. Once a significant number of devices are compromised, the malware can be updated with more destructive features, such as ransomware or cryptominers.
Ken Dunham, cyber threat director at the Qualys Threat Research Unit, added that P2PInfect is fairly typical in attacking weakly defended SSH accounts but has unique resiliency components built into its infrastructure, as documented by Cado Security. Dunham emphasized the importance of monitoring and managing evolving tactics and procedures of bad actors, as well as changes in the threat landscape.
“As adversaries focus on resilience and stealth for survival, it’s critical organizations gain visibility of threats and are able to predict the unknown, with regular audits and assurances coupled with purple teaming operations,” said Dunham.
The emergence of more destructive features in P2PInfect highlights the increasing sophistication and danger of cloud-based malware.
Start Growing with Cloudways Today.
Our Clients Love us because we never compromise on these
Abdul Rehman
Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He's also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.
