P2PInfect Worm

Cybersecurity researchers have uncovered a new cloud targeting, peer-to-peer (P2P) worm called P2PInfect that targets vulnerable Redis instances for follow-on exploitation.

"P2PInfect exploits Redis servers running on both Linux and Windows Operating Systems making it more scalable and potent than other worms," Palo Alto Networks Unit 42 researchers William Gamazo and Nathaniel Quist said. "This worm is also written in Rust, a highly scalable and cloud-friendly programming language."

It's estimated that as many as 934 unique Redis systems may be vulnerable to the threat. The first known instance of P2PInfect was detected on July 11, 2023.


A notable characteristic of the worm is its ability to infects vulnerable Redis instances by exploiting a critical Lua sandbox escape vulnerability, CVE-2022-0543 (CVSS score: 10.0), which has been previously exploited to deliver multiple malware families such as Muhstik, Redigo, and HeadCrab over the past year.

Unit 42 told The Hacker News that it found no evidence to connect P2PInfect to Redigo and HeadCrab campaigns, citing differences in the programming language used (Rust vs. Golang) and the exploitation method itself.

P2PInfect Worm

Redigo and HeadCrab "are associated with the Redis 'Primary/Secondary' module synchronization attack," William Gamazo, principal security researcher at Palo Alto Networks, said. "This technique is used when a compromised Redis instance is moved from a Primary instance to a Secondary instance allowing the attacker to control the compromised instance. We do not believe this attack technique is associated correctly with CVE-2022-0543."

"The P2PInfect attack is associated directly to the LUA Sandbox escape as discussed within CVE-2022-0543, where the attacker leverages the LUA library to inject an RCE script to be run on the compromised host. This is more closely related to the Muhstik exploit. However, Muhstik and P2PInfect are also not believed to be connected."

The initial access afforded by a successful exploitation is then leveraged to deliver a dropper payload that establishes peer-to-peer (P2P) communication to a larger P2P network and fetch additional malicious binaries, including scanning software for propagating the malware to other exposed Redis and SSH hosts.

"The infected instance then joins the P2P network to provide access to the other payloads to future compromised Redis instances," the researchers said.


The malware also utilizes a PowerShell script to establish and maintain communication between the compromised host and the P2P network, offering threat actors persistent access. What's more, the Windows flavor of P2PInfect incorporates a Monitor component to self-update and launch the new version.

"As the world's most popular in-memory database, it's no surprise that Redis installations are frequently the target of threat actors, and we are glad to see cybersecurity researchers actively working to find these bad actors. We've previously seen other malware created to take advantage of CVE-2022-0543, a vulnerability created by how certain versions of Debian Linux package the Lua engine for open source Redis." a spokesperson for Redis told The Hacker News.

"Redis Enterprise software bundles a hardened version of the Lua module which is not susceptible to this vulnerability. As such, customers running Redis Enterprise licensed software are not at risk from CVE-2022-0543 and P2PInfect. Users of open source Redis are encouraged to use official distributions available directly from redis.io"

It's not immediately known what the end goal of the campaign is, with Unit 42 noting that there is no definitive evidence of cryptojacking despite the presence of the word "miner" in the toolkit's source code.

That having said, the malware is believed to have been purpose-built to compromise as many Redis vulnerable instances as possible across different platforms, likely in preparation for a "more capable attack" that weaponizes this robust P2P command-and-control (C2) network.

The activity has not been attributed to any known threat actor groups notorious for striking cloud environments like Adept Libra (aka TeamTNT), Aged Libra (aka Rocke), Automated Libra (aka PURPLEURCHIN), Money Libra (aka Kinsing), Returned Libra (aka 8220 Gang), or Thief Libra (aka WatchDog).

The development comes as misconfigured and vulnerable cloud assets are being discovered within minutes by bad actors constantly scanning the internet to mount sophisticated attacks.

"The P2PInfect worm appears to be well designed with several modern development choices," the researchers said. "The design and building of a P2P network to perform the auto-propagation of malware is not something commonly seen within the cloud targeting or cryptojacking threat landscape."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.