New P2PInfect Botnet MIPS Variant Targeting Routers and IoT Devices

Dec 04, 2023NewsroomMalware / Botnet

Cybersecurity researchers have discovered a new variant of an emerging botnet called P2PInfect that’s capable of targeting routers and IoT devices.

The latest version, per Cado Security Labs, is compiled for Microprocessor without Interlocked Pipelined Stages (MIPS) architecture, broadening its capabilities and reach.

“It’s highly likely that by targeting MIPS, the P2PInfect developers intend to infect routers and IoT devices with the malware,” security researcher Matt Muir said in a report shared with The Hacker News.

P2PInfect, a Rust-based malware, was first disclosed back in July 2023, targeting unpatched Redis instances by exploiting a critical Lua sandbox escape vulnerability (CVE-2022-0543, CVSS score: 10.0) for initial access.

A subsequent analysis from the cloud security firm in September revealed a surge in P2PInfect activity, coinciding with the release of iterative variants of the malware.

The new artifacts, besides attempting to conduct SSH brute-force attacks on devices embedded with 32-bit MIPS processors, pack in updated evasion and anti-analysis techniques to fly under the radar.

The brute-force attempts against SSH servers identified during the scanning phase are carried out using common username and password pairs present within the ELF binary itself.

It’s suspected that both SSH and Redis servers are propagation vectors for the MIPS variant owing to the fact that it’s possible to run a Redis server on MIPS using an OpenWrt package known as redis-server.

One of the notable evasion methods used is a check to determine if it’s being analyzed and, if so, terminate itself, as well as an attempt to disable Linux core dumps, which are files automatically generated by the kernel after a process crashes unexpectedly.

The MIPS variant also includes an embedded 64-bit Windows DLL module for Redis that allows for the execution of shell commands on a compromised system.

“Not only is this an interesting development in that it demonstrates a widening of scope for the developers behind P2PInfect (more supported processor architectures equals more nodes in the botnet itself), but the MIPS32 sample includes some notable defense evasion techniques,” Cado said.

“This, combined with the malware’s utilization of Rust (aiding cross-platform development) and rapid growth of the botnet itself, reinforces previous suggestions that this campaign is being conducted by a sophisticated threat actor.”