Cado Security Labs Researchers Witness a 600X Increase in P2Pinfect Traffic

MITRE Techniques

• [T1059] Command and Scripting Interpreter – The attacker delivers a malicious Redis module to the target, allowing arbitrary shell commands to be run. Quote: “The attacker delivers a malicious Redis module to the target, allowing arbitrary shell commands to be run.”
• [T1105] Ingress Tool Transfer – The malware retrieves the primary payload from a designated downloader node via /dev/tcp, then writes and executes it. Quote: “The command utilizes the /dev/tcp device file to retrieve the primary payload from a designated downloader node (referred to as IA Downloader)…”
• [T1046] Network Service Scanning – After infection, each peer scans the local network and the Internet for exposed Redis and SSH servers. Quote: “after successful infection, each peer will conduct scanning of both the local network and the Internet for exposed Redis and SSH servers.”
• [T1021.004] Remote Services (SSH) – P2Pinfect propagates via SSH brutes and credential lists to gain access to new hosts. Quote: “The malware also has the ability to propagate via SSH, and includes a list of username/password pairs to assist with SSH brute-forcing.”
• [T1053] Scheduled Task/Job – Cron persistence is added, with cron writing to /etc/crontab and /var/spool/cron, launching the main payload periodically. Quote: “cron job launches the primary payload (linux) at every 30th minute of the hour and passes in an encoded argument.”
• [T1098] SSH Authorized Keys (Persistence) – New variants overwrite SSH authorized_keys with attacker-controlled keys to block logins and ensure persistence. Quote: “Recent versions of P2Pinfect overwrite existing SSH authorized_keys files with an attacker-controlled SSH key.”