A new variant of P2Pinfect has been observed targeting embedded IoT devices based on 32-bit MIPS processors, malware that aims to bruteforce Secure Shell (SSH) access to these devices.
Written in Rust, the P2Pinfect malware acts as a botnet agent, connecting infected hosts in a peer-to-peer topology. In early samples reported on by SC Media September 20, the malware exploited Redis servers for initial access – a relatively common technique in cloud environments.
In explaining the attack, Cado Security Labs said in a Monday blog post it’s highly likely that by targeting MIPS, the P2Pinfect developers intend to infect routers and IoT devices with the malware. The researchers explained that MIPS processors are commonly used for embedded IoT devices and the architecture has been previously targeted by botnet malware, including high-profile families such as Mirai and its variants.
Matt Muir, threat intelligence lead at Cado Security, said his team believes the targeting of MIPS suggests that that threat actors behind P2Pinfect has begun to move beyond just attacking generic servers. Muir pointed out that the team found that it’s possible to run the Redis server on MIPS devices via a project provided by OpenWrt, an open source router firmware project.
“OpenWrt also supports MIPS processors, so in light of this, we believe that compromised MIPS devices are being used to propagate the malware to a wider range of targets, resulting in a more powerful botnet overall,” said Muir, “It’s also worth noting that previous high-profile botnet families – Mirai and its derivatives – have targeted MIPS devices with great success.”
Anurag Gurtu, CPO at StrikeReady, added that the recent discovery of a new P2Pinfect variant targeting MIPS devices – especially IoT devices – indicates a strategic shift by the malware developers. Gurtu agreed with Muir that they are now exploiting vulnerabilities in IoT devices likely because of the widespread use of MIPS processors in these devices.
“This move demonstrates the developers’ intention to expand their botnet by infecting a broader range of devices,” said Gurtu. “The sophistication of the malware, evidenced by advanced evasion techniques like VM and debugger detection, anti-forensics on Linux hosts, and the use of Rust for cross-platform development, suggests that the actors behind P2Pinfect are highly-skilled and intent on creating a robust, hard-to-detect botnet. This expansion in targeting and enhanced evasion tactics points to a strategic effort to increase the botnet's resilience and impact while complicating analysis and mitigation efforts by security researchers.”
Emily Phelps, Director at Cyware, said shift in focus from Redis servers to embedded IoT devices suggests a strategic evolution. Phelps said many attackers are increasingly exploiting the vast, often under secured network of IoT devices, partly attributed to the widespread use of IoT devices in critical infrastructure and everyday applications, which presents a lucrative target for malicious activities.
“The updated evasion mechanisms in the new P2Pinfect variant indicate a more calculated approach, possibly aimed at establishing sustained control over infected devices or creating a resilient botnet,” said Phelps. “These tactics could also suggest that the attackers are anticipating and countering cybersecurity methods, showcasing a high level of awareness and adaptability.”
Andrew Barratt, vice president at Coalfire, said if the P2Pinfect malware can land in a number of common IoT devices, it’s very possible that it can create its own mesh among the devices, making it incredibly hard to completely remove them, also giving multiple options for persistence, and command and control with devices typically not routinely accessible by XDR technology.
“It’s also possible that these capabilities are part of a showcasing of capability, making the malware more saleable to threat actors targeting different industry segments,” noted Barratt.