Skip to content

P2Pinfect expands to 32-bit MIPS processors in escalating threat

  • by
  • 2 min read

P2Pinfect cross-platform malware specifically targets embedded devices with 32-bit Microprocessors without Interlocked Pipe Stages (MIPS) devices thereby affecting routers, IoT and other devices.

Since July 2023, cybersecurity researchers at Cado Security Labs have been monitoring the cross-platform botnet. The malware, crafted in the Rust programming language, operates as a botnet agent, connecting infected hosts through a peer-to-peer topology.

The researchers cautioned that “this botnet will continue to grow until its operators properly utilise it.”

Initially exploiting Redis for access, the malware has evolved its tactics, incorporating techniques such as exploiting CVE-2022-0543, a sandbox escape vulnerability in the LUA scripting language.

This new embedded device-targeting variant of P2Pinfect employs brute force attacks on SSH access, highlighting a strategic shift in the botnet’s targets, as per the experts.

The use of MIPS processors is reminiscent of previous botnet attacks, notably the infamous Mirai family. The MIPS variant exhibits defence evasion techniques and introduces novel evasion strategies.

Reading of /proc/pid/status file. | Source: Cado Security Lab

Security analysts discovered this variant while investigating files uploading to an SSH honeypot. Previous variants attempted SSH propagation but had not successfully implemented the malware until now. P2Pinfect employs common username/password pairs for SSH brute force attacks, expanding its propagation method.

The MIPS variant’s static analysis revealed a 32-bit ELF binary with debugging symbols removed. Moreover, the variant contained an additional ELF with Windows DLL in the PE32 format.

This structure, combined with Rust, allowed researchers to link the variant to the P2Pinfect family conclusively. The variant introduces innovative evasion techniques, such as consulting the TracerPID field in the //proc/<pid>/status file to detect dynamic analysis tools.

Furthermore, the malware also attempts to disable Linux core dumbs to wipe out all the information about itself.

“While much of the functionality of the MIPS variant is consistent with the previous variants of this malware, the developer’s efforts in making both the host and embedded executables as evasive as possible show a continued commitment to complicating the analysis procedure,” said the researchers.

In the News: Chinese SugarGh0st RAT is targeting Uzbekistan and South Korea

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>