Cado Security reports new developments of the P2Pinfect malware, a recently identified botnet, which has been observed infiltrating devices equipped with 32-bit MIPS processors, commonly found in routers and IoT devices.
This botnet was originally discovered by Palo Alto Unit 42 in July 2023. P2P is a Rust-based worm targeting Redis servers susceptible to CVE-2022-0543.
Later examination by Cado Security analysts revealed that P2Pinfect exploits the Redis replication feature to propagate, generating replicas of the initially infected instance. Subsequently, in September, Cado Security issued a warning regarding escalating P2Pinfect botnet activities predominantly concentrated on systems within China. Other countries including the United States, Germany, Japan, Singapore, Hong Kong, and the United Kingdom, were impacted to a lower extent.
The botnet employs various tactics for infiltration, including targeting SSH servers with weak credentials, utilizing SFTP and SCP to upload the MIPS binary. Additionally, P2Pinfect incorporates a mechanism to check the 'TracerPid' value in the process status file, identifying if analysis tools are tracing the malware process and terminating it accordingly.
Recent developments include enhancements in evasion capabilities. P2Pinfect utilizes system calls to disable Linux core dumps, preventing the dumping of memory contents that may reveal traces of its activity. Notably, the embedded DLL within P2Pinfect contains a function specifically designed for virtual machine evasion.