New P2PInfect Botnet MIPS Variant Targeting Routers and IoT Devices

Cybersecurity researchers have recently identified a novel iteration of the emerging P2PInfect botnet, specifically designed to target routers and IoT devices. The updated version, as reported by Cado Security Labs, is compiled for Microprocessor without Interlocked Pipelined Stages (MIPS) architecture, expanding its capabilities and potential impact.

According to security researcher Matt Muir, the decision to target MIPS suggests an intention to infect routers and IoT devices with the malware. P2PInfect, originally a Rust-based malware, came to light in July 2023, initially exploiting a critical Lua sandbox escape vulnerability (CVE-2022-0543, CVSS score: 10.0) in unpatched Redis instances for initial access. Subsequent analyses in September highlighted increased P2PInfect activity coinciding with the release of iterative malware variants.

The newly discovered artifacts not only attempt SSH brute-force attacks on devices featuring 32-bit MIPS processors but also incorporate enhanced evasion and anti-analysis techniques to avoid detection. During the scanning phase, brute-force attempts against SSH servers utilize common username and password pairs found within the ELF binary.

It is suspected that both SSH and Redis servers serve as propagation vectors for the MIPS variant, given the possibility of running a Redis server on MIPS using the OpenWrt package known as redis-server.

The malware employs notable evasion tactics, such as self-termination when under analysis and an effort to disable Linux core dumps generated by the kernel after unexpected process crashes. The MIPS variant also includes an embedded 64-bit Windows DLL module for Redis, facilitating the execution of shell commands on compromised systems.

Cado Security emphasizes that this development signifies an expansion in the scope of the P2PInfect developers, with support for additional processor architectures potentially leading to a larger botnet. The incorporation of Rust for cross-platform development, coupled with the botnet’s rapid growth, reinforces suspicions that the campaign is orchestrated by a sophisticated threat actor.