Full Report
A campaign targeting misconfigured Redis servers with a peer-to-peer self-replicating worm named P2Pinfect. The campaign exploits a critical vulnerability and makes use of the SLAVEOF feature to install malware that acts as a botnet agent. P2Pinfect is written in Rust and empl...
Analysis Summary
# Tool/Technique: P2Pinfect
## Overview
P2Pinfect is a peer-to-peer (P2P) self-replicating worm primarily observed targeting misconfigured Redis servers. Its primary purpose is initial access to vulnerable systems, followed by the installation of a botnet agent for resource hijacking.
## Technical Details
- Type: Malware family (Worm, Botnet Agent)
- Platform: Linux (implied by LUA sandbox escape vulnerability and shared object module installation) and potentially Windows (mentioned for monitor process).
- Capabilities: Self-replication, vulnerability exploitation, remote code execution, botnet agent installation.
- First Seen: Campaign observed around July 31, 2023.
## MITRE ATT&CK Mapping
*Note: Based on the described execution flow.*
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application
- T1190.004 - Exploit Public-Facing Application: Server Software
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.006 - Command and Scripting Interpreter: Python (If scripts are downloaded)
- **TA0004 - Privilege Escalation**
- T1548 - Abuse Elevation Control Mechanism
- T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control (Not confirmed, but RCE often leads to escalation)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol (Implied for botnet communication)
## Functionality
### Core Capabilities
* **Exploitation:** Exploits CVE-2022-0543 (a Debian-specific LUA sandbox escape vulnerability) leading to Remote Code Execution (RCE) on the Redis instance (CVSS 10).
* **Replication:** Functions as a self-replicating worm across the network by targeting other misconfigured Redis servers.
* **Payload Delivery:** Downloads OS-specific scripts and binaries after successful initial infections.
### Advanced Features
* **Persistence via Module Loading:** Utilizes the Redis `SLAVEOF` command feature to load a malicious module (Linux shared object file or a 'Monitor' process on Windows) for persistent control.
* **P2P Architecture:** Operates as a peer-to-peer network, distributing control and resilience among infected nodes.
* **Botnet Agent:** The installed malware functions as a botnet agent for resource hijacking.
* **Written in Rust:** Indicates modern compilation and potential evasion techniques.
## Indicators of Compromise
- File Hashes: [Not specified in the provided context]
- File Names: [OS-specific scripts and binaries downloaded, Redis shared object module (.so)]
- Registry Keys: [Not specified in the provided context]
- Network Indicators:
- Behavioral: Use of the Redis `SLAVEOF` command targeting vulnerable instances.
- Behavioral Indicators:
- Execution of LUA code via Redis leading to remote command execution.
- Installation of a shared object file via Redis module loading mechanism.
## Associated Threat Actors
- [Not specified in the provided context, designated generically as the P2PInfect campaign.]
## Detection Methods
- **Signature-based detection:** Signatures for the Rust binary/payloads (if available). Detection for known file hashes once identified.
- **Behavioral detection:** Monitoring for unauthorized use of the Redis `SLAVEOF` command pointing to external or unexpected IP addresses/ports designed for module injection.
- **YARA rules:** [Not specified in the provided context]
## Mitigation Strategies
- **Patching/Configuration Management:** Immediately patch systems vulnerable to CVE-2022-0543 (if applicable to the environment, as it is Debian-specific).
- **Configuration Hardening:** Disable unnecessary or dangerous Redis features, specifically restricting network access to Redis instances.
- **Principle of Least Privilege:** Ensure Redis instances are not exposed to the public internet.
- **Disabling Dangerous Commands:** Restrict or monitor the use of sensitive commands like `SLAVEOF` if possible, or ensure strict network controls prevent exploitation via this mechanism.
## Related Tools/Techniques
- General Redis Exploitation techniques leveraging configuration weaknesses.
- Other malware families utilizing P2P architectures for resilience (e.g., Muhstik, Kinsing).