Cybersecurity researchers at Cado Security Labs have revealed a sophisticated new variant of the P2Pinfect botnet that targets devices using the Microprocessor without Interlocked Pipelined Stages (MIPS) architecture.
This updated version signifies expanded targeting by those behind P2Pinfect, potentially including routers and other embedded devices, Internet of Things (IoT) products, and networking equipment.
Threat Research Lead at Cado Security, Matt Muir, commented on the development, saying, "The new sample includes updated evasion mechanisms, making it more difficult for researchers to dynamically analyse." These mechanisms encompass Virtual Machine (VM) detection methods and anti-forensics procedures on Linux hosts.
P2Pinfect, a cross-platform botnet first reported by Cado Security Labs in July 2023, enables its agents to connect infected hosts in a peer-to-peer system, exploiting Redis servers for initial access. As Muir explained, "There are a number of methods for exploiting Redis servers, several of which appear to be utilised by P2Pinfect."
The new variant specifically targets embedded devices powered by 32-bit MIPS processors, seeking to force open SSH access to the device. Regarded as a major cause for concern, this development is indicative of the P2Pinfect developers' intention to infiltrate routers and IoT devices.
Alongside the theoretical increase in nodes for the botnet, the MIPS32 variant also exhibits refined defence evasion techniques. Muir added, "This, combined with the malware's utilisation of Rust (aiding cross-platform development) and the rapid growth of the botnet itself, reinforces previous suggestions that this campaign is being conducted by a sophisticated threat actor."
The new variant was discovered when Cado Security Lab researchers triaged files uploaded via SFTP and SCP to an SSH honeypot. They also identified embedded username/password pairs used for brute force attacks.
Interestingly, while they initially believed SSH would be the main method of propagation, further research revealed the possibility of running the Redis server on MIPS.
In addition to previous features, the MIPS variant has incorporated a new evasion technique. Shortly after execution, the botnet creates a child process that seeks to identify whether it is under scrutiny by dynamic analysis tools. If the process is being traced, the botnet will terminate the child process and its parent.
The botnet has also made mitigation efforts against forensic analysis by attempting to disable Linux core dumps. These are methods that typically contain internal information about the malware itself.
The MIPS variant also includes an embedded 64-bit Windows DLL, which acts as a malicious loadable module for Redis, thereby allowing the running of shell commands on a compromised host.
While the Cado Security Labs team has yet to fully understand the potential impact of this evolved botnet, its continued development and complex methods signify the work of an astutely advanced threat actor. Their researchers will continue to closely observe the growth and potential effects of this burgeoning botnet.