Researchers at Cado Security Labs detected a malware campaign named P2Pinfect attacking Redis data stores. In a press release today, Cado, a UK-based cloud forensics and first response provider, summarizes the capabilities of the virus, its payload, and its method of attack.
Redis (REmote DIctionary Server) is an in-memory multi-modal database popular for its sub-millisecond latency, with the concept of a cache being a durable data store. This open-source NoSQL database is most popular with live-streaming and quick-response use cases with companies like Twitter, GitHub, Snapchat, Craigslist, and StackOverflow.
P2Pinfect is a botnet agent malware written in RUST with the following capabilities:
- Attempts multiple Redis exploits for initial access
- Utilizes Rust for payload development, making analysis tricky
- Uses multiple evasion techniques to hinder dynamic analysis
- Conducts internet scanning for Redis and SSH servers
- Self-replication in a worm-like manner
Unit42 researchers previously encountered the virus infecting Windows and Linux servers. In their findings, out of 307,000 unique Redis systems, at least 934 may be vulnerable to this CVE-2022-0543 peer-to-peer worm variant.
Cado Security uses honeypot telemetry, a military espionage technique, to steal enemy secrets by baiting and trapping targets. Researchers created instances of Redis data store, compromised by the P2Pinfect malware once exposed.
It created a malicious instance to enable replication and became part of the distribution network. It is a typical attack pattern against the leader/follower Redis topology.
The connecting point to the network is through the issuance of the "SLAVEOF" command. Once compromised, attackers can load a malicious Linus shared object file to extend the functionalities of the data store. The screenshot below shows how the command is used to gain initial access.
After access is gained, the "MODULE LOAD" command is used by the attackers to load exp.so object files to the network, providing reverse shell access.
The primary payload is an ELF (Executable and linking format) written in C and RUST that ultimately gains access to the SSH server by adding the following key to the authorized_keys file for the current user:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC/2CmHl/eiVchVmng4TEPAxOnO+6R0Rb/W+zlwCR+/g3mHqsiadebQx4rd5Ru/2HnSIut2kxm9Pz4ycxMIP4tNqyeHGpXhngTHnCduUwDofkVwzuy1GtDWXwlZbW3a4FDkPB4QwyHzB62+8G2L8CaG/3v26acRef9UWO2JepanMAkJo0oOrFg/chMbTcrhXwhbesTnb12yhaXBS8KgF1bWkMEqPvAGAFBj1G19dBcThK/qw1Wg2wIEl23kDdc5P4tRVvisYj9s5pqIG/+i9AjAlpS8AEqymmYjA3xUyWc/2D1BytbHIZCn5rGlrTNM1GcB/cCTByqdOEbckBi17cOXBDKmG/NRSj7in71Rh81R54xhIn5FTGGBxtrxXhHVkfyRl23IRCnZevrM41Lra3WaFYNMVgmfjf78L98mAByoSI2ztwYpSksVnrtjLC7o73fLff2Ttyie7tRIkbGcm7wlUP81U6Qk+4AwuxfxRQhol9glY7JqdRmmqjYjfviy10wgLRBhtjdIDWSF18CsL0qW60/3YvYt+AtW0JXMMXq8KKUOWEAqbJTddKTsd0H5nvxbz+pBgeB850DcNwUm+Ko1x6zKbM4KqM8xpQDfFf139ZLsq6aW34jZJ1/2HxNtVs39tt/N1BvoZcsV8yH/du09LWf113BFNmkMYz1YUrT+1w== email@example.com
By adding the key to the authorized users' list, the malware can do the following operations in the system:
- Renames the wget and curl binaries to wgbtx and clbtx respectively. This is likely an attempt to hinder any incident responders from using them to pull down forensics tools, as well as preventing EDR solutions from detecting the usage of the command. This is a common TTP for cloud threat actors.
- Checks for the iptables command, and installs it if it is not found. It has several commands specific to individual package managers, so it can be installed regardless of the Linux distribution in use.
- Checks for the awk command, and installs it if it is not found. Like the previous command, it will try to use several package managers.
- Checks for the netstat command, and installs it if it is not found. Like the previous commands, it will try to use several package managers.
- Uses netstat and awk to collect a list of all IPs that are currently connected to the Redis server running on the target host.
- Adds an iptables rule to allow traffic from each of these IPs to the redis server.
- Adds an iptables rule to deny all other traffic to the redis server.
- Adds an iptables rule to allow all traffic to a randomly chosen port that the primary payload listens on for botnet communications.
This sophisticated malware is difficult to detect for several reasons, including using Rust and mixing it with C's Foreign Function Interface feature, which adds high complexity to the code and a lack of tooling to analyze them.
Cado's analysis did not observe any activity similar to cryptocurrency mining, something that could be added as the malware is capable of updating itself to add more functionalities. You can identify a compromised host with the following indicators:
You can learn more in-depth malware behavior analysis at Cado Security Lab's report here.