New P2PInfect botnet variant discovered affecting IoT devices

Recent studies conducted by Cado Security Labs researchers have highlighted a new version of the P2PInfect botnet, a rapidly growing threat to IoT devices. This latest incarnation of the malware, optimized for the MIPS (Microprocessor without Interlocked Pipelined Stages) architecture, signals an evolution in P2PInfect's attack capabilities, which now extends to a broad spectrum of devices.

Targeting MIPS architecture increases the risk of infections

Security expert Matt Muir of Cado Security highlighted the importance of targeting MIPS processors, indicating a careful plan of action by the creators of P2PInfect aimed at compromising routers and IoT devices. The original version of P2PInfect, which debuted in July 2023, is based on Rust and was infamous for exploiting a critical vulnerability in Lua (CVE-2022-0543 with a CVSS score of 10.0), which allowed entry into non-Redis systems updated.

Brute-force SSH attacks and hardened evasion techniques

The new versions of the malware are designed to carry out brute-force attacks on SSH servers operated by 32-bit MIPS processors, using evasion and anti-analysis techniques to evade detection. The attacks are carried out using commonly used username and password pairs, pre-entered directly into the ELF executable. It is suspected that both SSH and Redis servers could serve as conduits for disseminating the MIPS variation, especially considering the compatibility of Redis servers with MIPS via the OpenWrt package, redis-server.

Relevance of the evolution of P2PInfect

P2PInfect's approach to evade detection includes self-termination during scans and attempting to disable Linux core dumps, files generated by the kernel after a process unexpectedly crashes. The MIPS variant integrates a 64-bit Windows DLL module for Redis, which allows the execution of shell commands on compromised systems. Cado Security highlighted the scope of these developments, underlining how the breadth of P2PInfect's scope and the adoption of advanced techniques, together with the use of Rust for multi-platform development, denote the work of a highly sophisticated menacing actor.