Cybersecurity researchers have identified a new variant of the Botnet called P2PInfect that can target routers and IoT devices. Likewise, updated for Microprocessor without Interlocked Pipelined Stages (MIPS) architecture, the most recent version expands on its functionality and reach, according to Cado Security Labs.
According to security researcher Matt Muir's study shared with The Hacker News, "it's highly likely that the P2PInfect developers intend to infect routers and IoT devices with the malware by targeting MIPS."
However, P2PInfect is a Rust-based malware that was first discovered in July 2023 and targets unpatched Redis models through a Lua sandbox escape vulnerability initially.
A cloud security company saw an increase in P2PInfect activity in September after the malware's new variants were released. These new versions target devices with 32-bit MIPS processors and include updated evasion and anti-analysis techniques.
However, using the shared username and password combinations found in the ELF file itself, brute-force attacks are launched against SSH servers found during the scanning process.
In addition, Redis servers may be run on MIPS via the Redis-server OpenWrt package, it is assumed that both SSH and Redis servers are vectors of propagation for the MIPS variant.
The malware also employs methods to evade analysis, such as terminating itself if it detects analysis and disabling Linux core dumps. Additionally, the MIPS version comes with an embedded 64-bit Windows DLL module for Redis, which enables shell commands to be executed on a compromised system.
"Not only is this a noteworthy development in that it represents an expanding of scope for the developers behind P2PInfect (more details supporting processor models equals additional nodes in the botnet itself), but the MIPS32 sample includes some significant defensive escape techniques," Cado explained.
"This, coupled with the malware's usage of Rust (aiding cross-platform development) and the rapid expansion of the botnet itself, confirms previous indications that this campaign is being executed by a sophisticated threat actor."