'P2PInfect' Worm Grows Teeth With Miner, Ransomware & Rootkit

A previously harmless Linux botnet has been updated to include a suite of malicious and exploitative components.

The unimaginatively named "P2PInfect" is a worm that leverages the Redis in-memory database application to spread across networks in a peer-to-peer, worm-like manner, creating a botnet along the way. By the time it was first discovered about a year ago, it had yet to cause anyone any real damage — a fact which it used to stealthy effect, by creating very little ruckus in newly infected networks.

This is not the case anymore. According to Cado Security, an update has been propagated across P2PInfect infections globally which includes a brand new rootkit, cryptominer, and even ransomware.

"Last year we were sitting there, scratching our heads, going: 'Why?,'" Al Carchrie, R&D lead solutions engineer at Cado Security, recalls about seeing the innocuous botnet for the first time. "It wasn't until the last couple of weeks that we saw there had been changes — it seems to have grown arms and legs."

How PRPInfect Started

On first impression, researchers observed a few things about P2PInfect that they could explain, and a few they couldn't.

First, the known: P2PInfect targeted misconfigured Redis-integrated servers accessible from the Internet. With such an inroad into a network, the malware took advantage of Redis' leader-follower topology, in which a designated "leader" node handles the primary copy of some data, and spreads exact copies to a network of follower nodes. The program used this mechanism to spread itself between Redis nodes across networks.

This seemed to be a good way to establish command-and-control (C2) and potentially spread second-stage malware. At the time, though, this quasi botnet wasn't being used for much at all.

Researchers did note, though, that the word "miner" popped up in P2PInfect's code — a potential indication of what was to come, perhaps, but nothing more.

"Our best estimate was that they were trying to do an initial spread as a botnet, probably to get a significant mass, so that when their plan came into action, it would then be more effective because they'll have a significant number of hosts," Carchrie says.

That prediction has now come to fruition.

How P2PInfect Is Going

P2PInfect has been updated with a usermode rootkit, and its "miner" binary has been activated. In the time since, the malware has leveraged its victims to mine around 71 Monero coins, equivalent to around £10,000.

Interesting, too, is a new ransomware component targeting a variety of file types including .xls, .py, .sql, and more. Though scary in theory, this aspect of P2PInfect seems to have been thought through the least.

For one thing, the ransomware looks for specific file extensions, but Linux does not necessarily require that files have extensions to begin with.

More to the point: Redis doesn't save any data to disk by default—its whole value proposition surrounds storage in-memory. It can be configured to save data to files, but the extension for these files—.rdb—is not among those sought by the ransomware. "With that in mind," Cado wrote, "it's unclear what the ransomware is actually designed to ransom."

What to Do

From Carchrie's vantage point, P2PInfect infections appear to be most concentrated in East Asia.

Redis is commonly used in businesses across the globe, though. Its open source version has more than four billion Docker pulls, and nearly 10,000 organizations use its Enterprise product, including British Airways and MGM Resorts.

So, he warns, organizations have to watch that their servers are properly protected from outside threats — only exposed to trusted users, behind firewalls, properly configured, etc.

And while it's not so easy to spot totally dormant malware, now that P2PInfect is revved up, it should be leaving behind plenty of easily detectable artifacts. "The cryptomining is going to drain as much CPU as possible, and the ransomware will go after files on disks, so disk utilization then starts to spike as well. You'll be looking for indications of those," he says.