Cado Security Labs’ cybersecurity researchers have recently discovered a new iteration of the P2PInfect botnet, bringing an elevated threat level as it strategically targets Internet of Things (IoT) devices. This variant, tailored for Microprocessor without Interlocked Pipelined Stages (MIPS) architecture, marks an expansion in the malware’s capabilities, posing a potential risk for widespread infections.
The deliberate focus on MIPS by P2PInfect developers indicates a concerted effort to compromise routers and various IoT devices, according to insights from security researcher Matt Muir. Initially disclosed in July 2023, the Rust-based P2PInfect gained notoriety for exploiting a critical Lua sandbox escape vulnerability (CVE-2022-0543, CVSS score: 10.0) to infiltrate unpatched Redis instances.
The latest artifacts of the malware are engineered to execute SSH brute-force attacks on devices featuring 32-bit MIPS processors, utilizing updated evasion and anti-analysis techniques to remain undetected. Brute-force attempts against SSH servers involve common username and password pairs embedded within the ELF binary. The malware’s evasion tactics include self-termination during analysis and efforts to disable Linux core dumps.
Significantly, the MIPS variant incorporates a 64-bit Windows DLL module for Redis, enabling the execution of shell commands on compromised systems. Cado Security underscores the importance of these developments, indicating the involvement of a sophisticated threat actor due to the widening scope of P2PInfect and its advanced evasion techniques, coupled with the use of Rust for cross-platform development.
