Threat Research

P2Pinfect – New Variant Targets MIPS Devices

Securonix

Researchers have identified a new MIPS-targeted variant of the P2Pinfect botnet, expanding its reach to routers and IoT devices. The sample includes enhanced evasion and an embedded Windows DLL for Redis-related operations, signaling a more sophisticated, cross-platform threat. #P2Pinfect #CadoSecurityLabs

Keypoints

  • New P2Pinfect variant compiled for 32-bit MIPS targets embedded devices such as routers and IoT.
  • Malware written in Rust and capable of peer-to-peer botnet networking, expanding node count via cross-platform support.
  • Initial access leverages SSH brute-forcing with embedded username/password pairs and potential Redis-based access for propagation.
  • Static analysis reveals an embedded Windows DLL inside the MIPS ELF, used as a Redis module with system.exec capabilities.
  • New defense-evasion techniques include TracerPid checks to detect analysis and a VM-evading module in the embedded DLL.
  • Core dumps are disabled to hinder forensics, protecting memory and BotnetConf details from researchers.

MITRE Techniques

  • [T1110] Brute Force – The malware iterates through embedded username/password pairs to brute-force SSH access. ‘The malware will then iterate through these pairs, initiating a SSH connection with servers identified during the scanning phase to conduct a brute force attack.’
  • [T1021.004] SSH – Lateral Movement – Propagation to SSH-enabled devices by scanning for SSH servers and attempting to propagate via SSH as part of its worming procedure. ‘earlier variants had been observed scanning for SSH servers, and attempting to propagate the malware via SSH as part of its worming procedure.’
  • [T1068] Exploitation for Privilege Escalation – CVE-2022-0543 sandbox escape exploited in LUA to gain deeper access. ‘exploitation of CVE-2022-0543 – a sandbox escape vulnerability in the LUA scripting language’
  • [T1059.004] Unix Shell – Command and Scripting Interpreter – Embedded Redis module exposes system.exec to run shell commands. ‘Disassembly of the Redis module entrypoint, mapping the system.exec command to a handler’
  • [T1497] Virtualization/Sandbox Evasion – Anti-VM check within the embedded Windows DLL to hinder analysis. ‘anti_vm’ function
  • [T1562] Impair Defenses – Disable Linux core dumps to hinder forensics and analysis. ‘disable Linux core dumps’ and related strace/prctl activity

Indicators of Compromise

  • [File hash] MIPS ELF – 8b704d6334e59475a578d627ae4bcb9c1d6987635089790350c92eafc28f5a6c
  • [File hash] Embedded DLL Redis Module – d75d2c560126080f138b9c78ac1038ff2e7147d156d1728541501bc801b6662f

Read more: https://www.cadosecurity.com/p2pinfect-new-variant-targets-mips-devices/