A sophisticated malware, P2Pinfect, is targeting MIPS devices for Redis-specific attacks, according to Cado Security Labs.
The malware includes an embedded DLL with a 64-bit Windows variant, demonstrating an advanced level of evasion techniques, such as anti-VM functions. It’s also possible that the sample prevents core dumps from being created to protect the availability of the MIPS device itself. Low-powered embedded devices are unlikely to have lots of local storage available to them and core dumps could quickly fill what little storage they do have, affecting performance of the device itself.
The MIPS variant of P2Pinfect includes an embedded 64-bit Windows DLL. This DLL acts as a malicious loadable module for Redis, implementing the system.exec functionality to allow the running of shell commands on a compromised host.
This is consistent with the previous examples of P2Pinfect, and demonstrates that the intention is to utilize MIPS devices for the Redis-specific initial access attack patterns mentioned throughout this blog.
Interestingly, this embedded DLL also includes a Virtual Machine evasion function, demonstrating the lengths that the P2Pinfect developers have taken to hinder the analysis process. In the DLLs main function, a call can be observed to a function helpfully labelled anti_vm by IDAs Lumina feature.
P2Pinfect’s continued evolution and broadened targeting are clearly the work of a determined and sophisticated threat actor, said the team at Cado. The cross-platform targeting and utilization of a variety of evasion techniques demonstrate an above-average level of sophistication when it comes to malware development. Clearly, this is a botnet that will continue to grow until it’s properly utilized by its operators.
Cado Security Labs researchers will continue to monitor and report on the growth of this emerging botnet.
Cado Security is the provider of the first cloud forensics and incident response platform.