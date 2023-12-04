The gang behind a cloud botnet known for targeting servers running the Redis in-memory storage system dubbed P2Pinfect is now looking to expand into the IoT ecosystem, according to a new report. Researchers have recently come across a variant of the P2Pinfect worm designed to run on Linux devices with MIPS processors.

"It's highly likely that by targeting MIPS, the P2Pinfect developers intend to infect routers and IoT devices with the malware," researchers from Cado Security said in a new report. "Use of MIPS processors is common for embedded devices and the architecture has been previously targeted by botnet malware, including high-profile families like Mirai, and its variants/derivatives."

P2Pinfect is an unusual worm

P2Pinfect drew attention when it was discovered earlier this year because it was written in Rust, a modern programming language that is cross-platform and is known for its memory and type safety and because it spread by compromising Redis deployments on both Linux and Windows systems.

P2Pinfect had two methods of exploiting Redis. One was through a critical vulnerability tracked as CVE-2022-0543 that specifically affected the Redis packages on Debian Linux. Redis allows users to upload and execute scripts written in the Lua programming language to extend the server's functionality. These scripts are normally executed in a sandbox, but CVE-2022-0543 allowed attackers to write code that escaped from the sandbox and is executed in the context of the Redis process.

The second infection method involved abusing the Redis replication command that marks a Redis instance as a slave of a master server. This was used to copy a malicious module from an attacker-controlled server and then load it on the victim instances with the MODULE LOAD command.

P2Pinfect also attempts to brute-force access

The new variant of the worm written for the MIPS architecture also tries to brute force SSH access, which makes sense for embedded devices as they are more likely to have SSH enabled. In fact, researchers observed in the original versions that the worm was scanning random ranges of IP addresses for port 22, but they did not observe attempts to deliver the worm over SSH at the time.