A Sneaky Cross-Platform Threat Targeting Redis Server: P2PInfect Worm

Background:

This worm is capable of cross-platform infections and is written in the highly scalable and cloud-friendly programming language Rust. It targets Redis, a well-known open-source database application frequently utilized in cloud environments. Operating systems Linux and Windows both support running Redis instances. 307,000 distinct Redis servers talking publicly during the past two weeks have been discovered by Unit 42 researchers, of which 934 may be susceptible to this P2P worm Variant. Even though not all of the 307,000 Redis instances will be at risk, the worm will nonetheless attempt to infiltrate these systems.

In order to get access, P2PInfect exploits CVE-2022-0543, and after that, it drops an initial payload that starts P2P communication with a larger P2P network. The worm downloads further malicious programs, such as OS-specific scripts and scanning applications, after the P2P connection has been formed. The infected instance then joins the P2P network to provide future compromised Redis instances access to the other payloads.

This P2PInfect campaign, according to Unit 42, is only the beginning of a potentially more effective attack that makes use of this strong P2P command and control (C2) network. The phrase “miner” appears a few times in P2PInfect’s toolset. Researchers did not discover any solid proof that crypto mining activities ever took place, nevertheless.

Technical Analysis

Using their HoneyCloud environment, which is a collection of honeypots they utilize to uncover and research novel cloud-based attacks across public cloud settings, Unit 42 found the first known instance of P2PInfect on July 11, 2023. The P2Pinfect worm supports and enables the delivery of malicious binaries across a P2P network.

The P2P worm’s gathered samples are all built in the extremely scalable and cloud-friendly programming language Rust. Due to Redis’ lack of official support for the Windows operating system, this enables the worm to infect Redis instances running on both Linux and Windows platforms.

The worm uses the Lua sandbox escape vulnerability, CVE-2022-0543, to infect vulnerable Redis instances. CVE-2022-0543 is a vulnerability with the Lua library related to the way Redis is packaged and delivered by Debian Linux package management. When the initial exploit for this specific vulnerability was released in March 2022, the affected Redis instance was linked to the Muhstik botnet. The P2PInfect worm, on the other hand, seems to be connected to a new malicious network that is unrelated to the Muhstik botnet.

P2PInfect works effectively in cloud container environments by exploiting CVE-2022-0543. Containers have a limited range of capabilities; for instance, they lack “cron” services. The majority of the most prevalent worms that prey on Redis employ a method for obtaining remote code execution (RCE) through cron services.

An initial payload is run once infection through the Lua vulnerability is first established. This payload creates a P2P connection to the larger C2 botnet, which acts as a P2P network for distributing more payloads to subsequently affected Redis instances. The worm downloads further payloads, like a scanner, after the P2P connection is formed. The newly infected instance then joins the P2P network and starts sending future compromised Redis instances scanning payloads.

The payload will begin looking for more victims to infect once the main P2PInfect sample has finished running. The scanning process focuses on hosts for Redis that are open. Researchers did discover, however, that exploited Redis instances also attempt to scan through port 22, SSH.

While the second-stage malware files, miner and winminer, were not UPX packed, some of the original payload P2PInfect samples distributed to infected systems were.

Following the initial dropper’s execution, it begins decrypting the configuration that it has received from a command line along with details about additional P2P network nodes. Researchers discovered that the P2P port was changeable, which was a design decision that makes the attack resistant to network firewall mitigation measures and blocking.

Recommendations

• Check any Redis applications, whether they are running locally or in the cloud, to make sure no arbitrary filenames are present in the /tmp directory.
• The most recent Redis version, or any version newer than redis/5:6.0.16-1+deb11u2, redis/5:5.0.14-1+deb10u2, redis/5:6.0.16-2, and redis/5:7.0rc2-2, should be applied to all Redis instances.

IOCs

35.183.81[.]182
66.154.127[.]38
66.154.127[.]39
8.218.44[.]75
97.107.96[.]14
88601359222a47671ea6f010a670a35347214d8592bceaf9d2e8d1b303fe26d7
b1fab9d92a29ca7e8c0b0c4c45f759adf69b7387da9aebb1d1e90ea9ab7de76c
68eaccf15a96fdc9a4961daffec5e42878b5924c3c72d6e7d7a9b143ba2bbfa9
89be7d1d2526c22f127c9351c0b9eafccd811e617939e029b757db66dadc8f93

C2 URL Pattern

GET /linux
GET /linux_sign
GET /miner
GET /miner_sigg
GET /winminer
GET /winminer_sign
GET /windows_sign
GET /windows

SOC Detection

Security Operations Center (SOC) teams can play a crucial role in detecting and mitigating the impact of the P2PInfect worm. Here are some steps and indicators that SOC teams can use to detect this threat:

1. Container Monitoring: As P2PInfect is known to operate effectively in cloud container environments, it’s essential to use a solution that provides container monitoring. These tools can provide deep visibility into your containerized environments, detect anomalies, apply security policies, and monitor network connections within the container environment.
2. YARA Rules: YARA is a tool aimed at helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families based on textual or binary patterns. Use YARA rules to detect the presence of P2PInfect in your systems. You can create YARA rules based on the identified hashes or other unique identifiers of P2PInfect.
3. Network Traffic Monitoring: Monitor network traffic for any unusual or unexpected communication with the identified IPs. Unusual traffic patterns, such as a sudden increase in data transfer or communication with these IPs, could indicate an infection.
4. Redis Instance Monitoring: Keep an eye on Redis instances for any unexpected or unusual behavior. This includes sudden increases in CPU or memory usage, unexpected changes in configuration, or the presence of unfamiliar files in the /tmp directory.
5. Log Analysis: Analyze system and application logs for any signs of intrusion. Look for failed login attempts, changes in system configuration, or the execution of unfamiliar processes. The presence of any of the identified hashes in logs could indicate an infection.
6. Firewall and IDS/IPS Monitoring: Use firewall and Intrusion Detection/Prevention Systems (IDS/IPS) to detect any attempts to exploit the CVE-2022-0543 vulnerability. Any such attempts should be flagged and investigated immediately.
7. Endpoint Detection and Response (EDR) Tools: Use EDR tools to detect any changes in system behavior that could indicate an infection. This includes the execution of unfamiliar processes, changes in system configuration, or the creation of unfamiliar files.
8. Threat Hunting: Proactively search through networks to detect and isolate advanced threats that evade existing security solutions. Look for patterns related to the P2PInfect worm, such as the C2 URL patterns mentioned.
9. Threat Intelligence Feeds: Use threat intelligence feeds to stay updated on the latest indicators of compromise (IOCs) related to the P2PInfect worm. This can help in early detection and prevention of the threat.