Researchers at cloud forensics and incident response platform startup Cado Security Ltd. today detailed a recently discovered malware campaign aimed at Redis data store deployments.

Redis is an open-source in-memory data structure store used as a database, cache and message broker that supports various data structures such as strings, hashes, lists and sets.

The malware, dubbed “P2Pinfect,” is written in the Rust programming language and operates as a botnet agent. A sample analyzed by the researchers contained an embedded Portable Executable and an additional Extendable and Linkable Format executable, indicating cross-platform compatibility between Windows and Linux.

Palo Alto Networks Inc.’s Unit 42 detailed the Windows version of P2Pinfect’s on July 19, noting that the malware was delivered via exploitation of a specific vulnerability in Redis, tracked as CVE-2022-0543. However, Cado researchers have since discovered a different initial access route, showcasing the adaptability of the malware.

P2Pinfect’s capabilities range from attempting multiple Redis exploits for initial access to using Rust for payload development, complicating the analysis process. The malware employs several evasion techniques to obstruct dynamic analysis and actively scans for Redis and SSH servers. In addition, the malware can self-replicate in a worm-like manner, illustrating its resilient nature.

The malware compromises exposed Redis instances by exploiting the replication feature, allowing instances to run in a distributed leader/follower topology, providing high availability and failover for the data store. Malicious replication is achieved by connecting to an exposed Redis instance and issuing specific commands. The vector used by P2Pinfect has been used in previous malware campaigns, including H2miner and Headcrab.

P2Pinfect uses various known Redis exploitation methods, but it was the replication method that succeeded in compromising Cado’s “honeypot” infrastructure. The attacker can load a malicious module through a series of commands, extending Redis’s functionality and enabling reverse shell access.

The primary payload is an ELF, created in a mix of C and Rust programming languages. The payload is said to manipulate the host’s SSH configuration to facilitate the author’s access to the server, including dropping specific binaries and updating certain files.

To aid in its distribution, the malware operates through a peer-to-peer botnet where each infected server is treated as a node. The decentralized structure ensures robust communication without reliance on a central command-and-control server. The binary listens on a randomly selected port and serves payloads via a simple HTTP server, leveraging HTTPS for actual botnet coordination.

“P2Pinfect is well-designed and utilizes sophisticated techniques for replication and C2,” the researchers conclude. “The choice of using Rust also allows for easier portability of code across platforms (with the Windows and Linux binaries sharing a lot of the same code) while also making static analysis of the code significantly harder.”

Image: Bing Image Creator