P2PInfect self-replicating Rust worm discovered attacking Redis instances

P2PInfect: A CGI render of Europe, North Africa, and the Middle East as viewed from space, with red light similar to fiber optic cables arcing up from points on the Earth (including from other unseen continents) to represent malware attacks.
(Image credit: Getty Images)

Experts have warned of a sophisticated peer-to-peer (P2P) worm, written in Rust, targeting instances of the open-source database software Redis.

The worm leverages a critical vulnerability to establish itself within a Redis instance, which is then assimilated into a wider P2P network used to spread the worm further.

After the worm infects a Redis instance, it creates a P2P connection via port 60100 to a large command and control (C2) botnet. This is used to download further malicious samples, after which the worm scans for other exposed Redis instances to infect.

Cloud researchers at Unit 42, Palo Alto Networks discovered the worm and named it ‘P2PInfect’ after a term found within leaked symbols in the worm’s code.

At the heart of P2PInfect’s infection chain is the exploitation of CVE-2022-0543, a sandbox escape vulnerability in the Lua Library.

The vulnerability’s maximum severity score of 10.0 on the CVSSv3 severity scale highlights the possibilities open to attackers if it’s exploited.

Flaws with the maximum severity score are rare, and they are often designated the maximum mark due to the high potential impact of an attack resulting from their exploitation, which can extend beyond just the vulnerable component.

Leveraging this specific vulnerability allows the worm to operate in cloud container environments, an unachievable feat for other worms aimed at Redis such as the cryptojacking malware operated by Adept Libra.

RELATED RESOURCE

Dark whitepaper cover with orange shapes behind text: A prudent approach to major security incidents

(Image credit: ServiceNow)

A prudent approach to major security incidents

Learn how you can confidently support constant technology change by protecting your organization from threats.

DOWNLOAD FOR FREE

Once present within a Redis instance, the worm runs a Powershell script, which changes local firewall settings to prevent the infected Redis instance from being accessed by its owners, while opening a port to give the worm operators free access.

This is one of several sophisticated methods that P2PInfect uses to establish persistence on infected systems. 

Another is a process titled ‘Monitor’, saved to the Temp folder within a user’s AppData directory, which when run downloads multiple randomly named P2PInfect executables alongside an encrypted configuration file.

Although the samples downloaded from the threat actor’s C2 include two labeled ‘miner’ and ‘winminer’, Unit 42 was unable to establish any evidence of the worm performing cryptomining using infected instances.

Researchers posited that at this stage, P2PInfect may be laying the groundwork for a more active future campaign in which mining activity could be initiated using the botnet. As Redis runs on both Windows and Linux, it has a wide potential victim base.

This was supported by unexplained features in the C2 that allow the worm to update, and open the possibility of P2PInfect being granted new behaviors and features in the future.

Unit 42 discovered the worm on 11 July using its HoneyCloud platform, a geographically varied set of honeypots used to attract and analyze public cloud threats, and collected evidence to suggest that it is quickly spreading.

Of 307,000 publicly-communicating Redis instances observed by researchers, 934 were identified as vulnerable though the exact number of malicious nodes in the botnet has not yet been established.

“As the world’s most popular in-memory database, it’s no surprise that Redis installations are frequently the target of threat actors, and we are glad to see cybersecurity researchers actively working to find these bad actors," a Redis spokesperson told ITPro.

"We’ve previously seen other malware created to take advantage of CVE-2022-0543, a vulnerability created by how certain versions of Debian Linux package the Lua engine for open source Redis. Redis Enterprise software bundles a hardened version of the Lua module which is not susceptible to this vulnerability.

"As such, customers running Redis Enterprise licensed software are not at risk from CVE-2022-0543 and P2PInfect. Users of open source Redis are encouraged to use official distributions available directly from redis.io.”

Many ransomware groups have moved to Rust in the past year, for benefits such as faster encryption and more effective evasion of common detection methods.

But outside of malware, Rust offers a number of benefits over other programming languages. 

The NSA has recommended it for its ‘memory safe’ qualities in comparison to languages such as C++ which can contain exploitable flaws based on memory, while Microsoft has released kernel features written in Rust and advocated for widespread uptake of the language across the industry.

TOPICS
Rory Bathgate
Features and Multimedia Editor

Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.

In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.