2 min

Tags in this article

, , , ,

A persistent malware has targeted the cache store Redis. The malware was discovered and disclosed earlier this month but managed to redirect and adapt in the meantime.

P2Pinfect is malware that targets Redis. Redis is an open-source software deployed as a caching technique to make Web sites load faster.

Cado Security tracked down the malware and provided more details in an investigation report. The investigation found a malware sample that combined an embedded Portable Executable (PE) with an ELF executable. This would indicate that the malware could run on Windows and Linux systems.

The malware was written in the Rust programming language. This contributes to greater portability of the malware to different platforms. In addition, Rust complicates code analysis, due to the complexity of the programming language and the lack of available tooling.

High adaptability

The Windows version of the malware was highlighted earlier this month by researchers at Palo Alto Networks’ Unit 42. However, the researchers at Cado found another access route, indicating that the malware can adapt quickly.

The malware has the potential to be used for cryptocurrency mining. Although that is not currently the case.

P2Pinfect does, however, score ten out of ten on the vulnerability score. Indeed, through the malware, hackers can run code remotely. The malware downloads scripts specific for the operating system and malicious binaries after the infected device becomes part of the peer-to-peer network, or botnet.

Initial access is given to the malware via vulnerability CVE-2022-0543, which was disclosed back in 2022. According to Unit 42, 934 Redis systems are vulnerable to P2Pinfect. However, the malware will attempt to infect all Redis systems and may succeed due to its high adaptability.

Creating Botnet

Currently, the hackers seem to be concentrating mainly on creating a botnet. Once enough systems were infected, the botnet could be used for crypto-mining, which the researchers already saw possibilities for. A botnet can also serve to carry out DDoS attacks or for such things as password spraying. For the latter activity, the malware AVrecon is currently being exploited.

Also read: AVrecon: the malware with a botnet army of 70K routers