Saturday, July 13, 2024

P2Pinfect Redis Server with New Ransomware Payload

Cybersecurity researchers have identified a new ransomware payload associated with the P2Pinfect malware, primarily targeting Redis servers.

This sophisticated malware, previously known for its peer-to-peer (P2P) botnet capabilities, has now evolved to include ransomware and crypto-mining functionalities.

This article delves into the intricacies of P2Pinfect, its methods of spreading, and the implications of its new payloads.

Redis Exploitation and Initial Access

P2Pinfect exploits the replication features in Redis, a popular in-memory data structure store used as a database, cache, and message broker.

According to the Cado Security reports, Redis operates in a distributed cluster with a leader/follower topology, which attackers exploit to gain code execution on follower nodes.

The malware uses the SLAVEOF command to turn Redis nodes into followers of an attacker-controlled server, allowing the attacker to execute arbitrary commands.

Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan

Main Payload and Spread Mechanism

Once P2Pinfect gains access to a Redis server, it drops a shared object (.so) file and instructs the server to load it.

This enables the attacker to send commands to the infected server.

The malware also spreads using a basic SSH password sprayer, although this method is less effective than Redis exploitation.

P2Pinfect’s botnet is a notable feature. It forms a massive mesh network in which each infected machine acts as a node.

This network allows the malware author to push updates across the botnet efficiently.

New Ransomware Payload

The latest update to P2Pinfect introduces a ransomware payload named rsagen.

Upon joining the botnet, infected machines receive a command to download and execute rsagen, which encrypts files and appends the .encrypted extension.

The ransomware targets many file extensions, making it highly disruptive.

The ransom note, titled “Your data has been locked!.txt,” instructs victims to contact the attackers via email to receive a decryption token.

The ransomware encrypts files using a public key and stores the corresponding private key, which the attackers can decrypt upon payment.

P2Pinfect now includes a user-mode rootkit that modifies .bashrc files in user home directories to preload a shared object file (

This rootkit hijacks legitimate system calls to hide the presence of the malware.

However, its effectiveness is limited if the initial access is through Redis, as the user typically has restricted permissions.

The decompiled pseudocode for the hijacked readdir function
The decompiled pseudocode for the hijacked readdir function

Crypto Miner Payload

In addition to ransomware, P2Pinfect deploys a crypto miner targeting Monero (XMR).

The miner is activated after a delay and uses a preconfigured wallet and pool.

Despite the botnet’s size, the mining activity appears minimal, suggesting that multiple wallet addresses are used to obfuscate earnings.

There is speculation that P2Pinfect might be a botnet for hire, given the separate wallet addresses for the miner and ransomware.

This theory is supported by the malware’s ability to deploy arbitrary payloads on command, indicating potential use by other attackers for a fee.

P2Pinfect continues to evolve, demonstrating the malware author’s ongoing efforts to profit from illicit access.

The introduction of ransomware and crypto-mining payloads highlights the increasing sophistication of this malware.

While the ransomware’s impact may be limited due to Redis’s nature, the overall threat posed by P2Pinfect remains significant.

Cybersecurity professionals must remain vigilant and implement robust security measures to protect against such advanced threats.

The continued evolution of P2Pinfect serves as a stark reminder of the ever-changing landscape of cyber threats. 

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free


Latest articles

mSpy Data Breach: Millions of Customers’ Data Exposed

mSpy, a widely used phone spyware application, has suffered a significant data breach, exposing...

Advance Auto Parts Cyber Attack: Over 2 Million Users Data Exposed

RALEIGH, NC—Advance Stores Company, Incorporated, a prominent commercial entity in the automotive industry, has...

Hackers Using ClickFix Social Engineering Tactics to Deploy Malware

Cybersecurity researchers at McAfee Labs have uncovered a sophisticated new method of malware delivery,...

Coyote Banking Trojan Attacking Windows Users To Steal Login Details

Hackers use Banking Trojans to steal sensitive financial information. These Trojans can also intercept...

Hackers Created 700+ Fake Domains to Sell Olympic Games Tickets

As the world eagerly anticipates the Olympic Games Paris 2024, a cybersecurity threat has...

Japanese Space Agency Spotted zero-day via Microsoft 365 Services

The Japan Aerospace Exploration Agency (JAXA) has revealed details of a cybersecurity incident that...

Top 10 Active Directory Management Tools – 2024

Active Directory Management Tools are essential for IT administrators to manage and secure Active...
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles