The P2PInfect botnet, first discovered by Unit 42 specialists in July 2023, has significantly increased its activity since the end of August and is still running on the network today.
In just the week from September 12 to September 19, 2023, botnet activity increased 600-fold, as reported by researchers from Cado Security, with most of the breaches affecting systems in China, the United States, Germany, Singapore, Hong Kong, the United Kingdom and Japan.
Malware distributed via peer-to-peer disrupts Redis by exploiting a remote code execution vulnerability on Windows and Linux systems connected to the Internet.
According to Cado experts, the activity of P2PInfect is associated with the fact that malware has become more adapted and stable, which makes it possible to increase the distribution landscape.
The latest samples contain a number of additions and improvements, including new features of the cron-based persistence mechanism, using an SSH key to overwrite any authorized SSH keys on the compromised endpoint, and changing the password for any other users on the system if the malware has root access.
Despite the fact that the recently discovered P2PInfect variants tried to install the miner, in fact, no crypto mining activity was observed, but together this may indicate that malware operators continue to experiment with the last stage of the attack.
Given the botnet's current size, active distribution, self-updating features, and rapid expansion over the past month, P2PInfect is a significant threat to consider.
In just the week from September 12 to September 19, 2023, botnet activity increased 600-fold, as reported by researchers from Cado Security, with most of the breaches affecting systems in China, the United States, Germany, Singapore, Hong Kong, the United Kingdom and Japan.
Malware distributed via peer-to-peer disrupts Redis by exploiting a remote code execution vulnerability on Windows and Linux systems connected to the Internet.
According to Cado experts, the activity of P2PInfect is associated with the fact that malware has become more adapted and stable, which makes it possible to increase the distribution landscape.
The latest samples contain a number of additions and improvements, including new features of the cron-based persistence mechanism, using an SSH key to overwrite any authorized SSH keys on the compromised endpoint, and changing the password for any other users on the system if the malware has root access.
Despite the fact that the recently discovered P2PInfect variants tried to install the miner, in fact, no crypto mining activity was observed, but together this may indicate that malware operators continue to experiment with the last stage of the attack.
Given the botnet's current size, active distribution, self-updating features, and rapid expansion over the past month, P2PInfect is a significant threat to consider.
