Threat Research

From Dormant to Dangerous: P2Pinfect Evolves to Deploy New Ransomware and Cryptominer

Securonix

P2Pinfect, a Rust-based worm that uses a peer-to-peer botnet for C2, has evolved from dormant spreading to delivering a ransomware payload and a cryptocurrency miner. The update details how it spreads via Redis and SSH, deploys rsagen ransomware, and deploys a Monero miner, plus a usermode rootkit to evade detection. #P2Pinfect #rsagen

Keypoints

  • P2Pinfect is a Rust-based worm that uses a P2P botnet for its command and control, recently adding a ransomware and crypto miner payload.
  • Initial access relies on Redis replication (leader/follower) using SLAVEOF to turn nodes into followers and load a malicious .so module for arbitrary command execution; it also uses a Redis config-based vector to write a cron job.
  • The malware self-propagates as a worm, scanning the internet for more servers to infect and deploying a basic SSH password spray with limited success.
  • It drops an SSH key into the current user’s authorized_keys and alters SSH/Redis access controls to hinder other attackers and enable root login with password where possible.
  • The botnet forms a large mesh to propagate updates via gossip, enabling rapid distribution of new binaries across infected hosts.
  • New payloads include rsagen (ransomware) and a Monero cryptocurrency miner (XMRig), with specific wallet details and a ransom note; encryption targets many file types and appends .encrypted.
  • A usermode rootkit (libs.so.1) uses LD_PRELOAD to hide processes/files by hijacking system calls and filtering visibility in /proc, with a bypass via an environment variable.
  • There is speculation that P2Pinfect may be a botnet-for-hire due to its modular delivery of rsagen from a fixed URL and distinct miner and ransomware wallets, though evidence is mixed.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – The attacker can send arbitrary commands to the follower for it to execute. ‘The attacker can send arbitrary commands to the follower for it to execute.’
  • [T1021] Lateral Movement – P2Pinfect is a worm, so all infected machines will scan the internet for more servers to infect with the same vector described above. ‘P2Pinfect is a worm, so all infected machines will scan the internet for more servers to infect with the same vector described above.’
  • [T1053] Scheduled Task: Cron – It abuses the config commands to write a cron job to the cron directory. ‘utilises another Redis initial access vector where it abuses the config commands to write a cron job to the cron directory’
  • [T1098] SSH Authorized Keys – The malware drops an SSH key into the authorised key file for the current user. ‘The malware drops an SSH key into the authorised key file for the current user and runs a series of commands to prevent access to the Redis instance apart from IPs belonging to existing connections.’
  • [T1543.003] Create or Modify System Process – It writes a shared object (.so) file and instructs the follower to load it, enabling arbitrary command execution. ‘…write out a shared object (.so) file, and then instructs the follower to load it. Once this is done, the attacker can send arbitrary commands to the follower for it to execute.’
  • [T1564.001] Hide Artifacts – The rootkit hides artifacts by hijacking system calls and filtering visibility, e.g., ‘hijacks legitimate calls to it in order to hide specific information’ and blocks certain ports in /proc/net/tcp.
  • [T1027] Obfuscated/Compressed Files and Information – The main payload is written in Rust with tokio and packed with UPX, and is stripped/partially obfuscated. ‘The main binary appears to have undergone a rewrite… packed with UPX… partially obfuscated.’
  • [T1496] Resource Hijacking – The miner (XMRig) is configured with a Monero wallet and pool; mining activity is observed, indicating resource hijacking. ‘It features a built-in configuration, with the monero wallet and pool preconfigured.’
  • [T1486] Data Encrypted for Impact – The rsagen ransomware encrypts files and appends .encrypted; a ransom note ‘Your data has been locked!.txt’ is created. ‘After writing out the note, the ransomware iterates through all directories on the file system, and overwrites the contents with an encrypted version. It then appends .encrypted to the end of the file name.’
  • [T1105] Ingress Tool Transfer – The main binary downloads and executes rsagen from a fixed URL. ‘download and run a new binary called rsagen’ and ‘http://129.144.180.26:60107/dl/rsagen’.
  • [T1110] Brute Force – SSH password spray uses common passwords with common users, though less effective than Redis.
  • [T1095] Non-Application Layer Protocol – The botnet uses a peer-to-peer gossip approach to propagate updates across peers. ‘notify one peer, and it will inform all its peers and so on’ (non-standard C2 channel).

Indicators of Compromise

  • [IP] context – 129.144.180.26:60107 (download server for rsagen), 88.198.117.174:19999, 159.69.83.232:19999, 195.201.97.156:19999 (mining pools)
  • [File Hash] 4f949750575d7970c20e009da115171d28f1c96b8b6a6e2623580fa8be1753d9 (main binary)
  • [File Hash] 2c8a37285804151fb727ee0ddc63e4aec54d9460b8b23505557467284f953e4b (bash payload)
  • [File Hash] 8a29238ef597df9c34411e3524109546894b3cca67c2690f63c4fb53a433f4e3 (miner)
  • [File Hash] 9b74bfec39e2fcd8dd6dda6c02e1f1f8e64c10da2e06b6e09ccbe6234a828acb (rsagen)
  • [File] libs.so.1 – Dynamically generated, no consistent hash
  • [File] /tmp/bash – Secondary binary used for health checks
  • [File] /tmp/rsagen – Ransomware payload

Read more: https://www.cadosecurity.com/blog/from-dormant-to-dangerous-p2pinfect-evolves-to-deploy-new-ransomware-and-cryptominer

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint