Redis Server infected with new ransomware payload by P2Pinfect

Cybersecurity investigators have recognized a new ransomware payload associated with the P2Pinfect malware, especially targeting Redis servers. This sophisticated malware, earlier understood for its peer-to-peer (P2P) botnet qualifications, has now been developed to contain ransomware and crypto-mining functionalities. This article delves into the intricacies of P2Pinfect, its ways of applying, and the implications of its new payloads.

Exploiting Redis and gaining access to it

P2Pinfect manipulates the image segments in Redis, a popular in-memory data structure store used as a database, cache, and note dealer. According to the Cado Security news, Redis runs in a dispersed group with a leader/follower topology, which detractors manipulate to acquire code performance on supporter nodes. The malware uses the SLAVEOF order to turn Redis nodes into disciples of an attacker-controlled server, permitting the criticizer to run arbitrary commands.

Spread and main payload mechanisms

Once P2Pinfect increases access to a Redis server, it falls into a shared entity (.so) file and requires the server to load it. This allows the assailant to send orders to the infected server.

 

The malware also applies by utilizing a basic SSH password sprayer, although this strategy is less efficacious than Redis exploitation. P2Pinfect’s botnet is a unique quality. It includes a huge mesh network in which each infected device works as a node. This network permits the malware author to push updates across the botnet efficiently.

A new ransomware payload has been discovered

The latest update to P2Pinfect presents a ransomware payload named rsagen. Upon joining the botnet, infected devices obtain an order to download and manage rsagen, which encrypts files and appends the .encrypted attachment. The ransomware targets many file wings, making it positively disruptive.

The ransomware targets many file wings, making it positively disruptive.

The ransom note, titled “Your data has been sealed!.txt,” advises victims to reach the assailants through email to obtain a decryption token. The ransomware exploits a public key to encrypt files and stores the connected secret key, which the assailants can decrypt upon cost.

P2Pinfect now contains a user-mode rootkit that changes .bashrc files in user home guides to preload a shared entity file (libs.so.1). This rootkit hijacks legitimate system calls to hide the existence of the malware. Additionally, its usefulness is determined if the initial access is via Redis, as the user generally has limited permissions.

The payload of a crypto miner

In addition to ransomware, P2Pinfect deploys a crypto miner targeting Monero (XMR).

The miner is triggered after a pause and operates a preconfigured wallet and pool. Despite the botnet’s size, the mining action seems tiniest, indicating utilizing numerous wallet addresses to obfuscate payments. There is conjecture that P2Pinfect might be a botnet for hire, given the different wallet addresses for the miner and ransomware.

This hypothesis is reinforced by the malware’s capability to deploy arbitrary payloads on order, suggesting possible use by other criticizers for payment. P2Pinfect persists in development, indicating the malware author’s resumed actions to profit from illicit access. The opening of ransomware and crypto-mining payloads emphasizes the increasing complexity of this malware.

While the ransomware’s effect may be restricted because of Redis’s character, the overall danger posed by P2Pinfect remains important. Cybersecurity experts must stay alert and execute strong protection actions to defend against such refined perils. The resumed development of P2Pinfect serves as a stark reminder of the ever-changing landscape of cyber dangers.