Upon initial discovery, a reasonably sophisticated malware sample that uses a peer-to-peer (P2P) botnet for its command and control mechanism, P2Pinfect, a rust-based malware covered extensively by Cado Security in the past, mainly appeared dormant.
It would spread primarily via Redis and a limited SSH spreader, but ultimately did not have an objective other than to spread. Recently, Cado Security has observed a new update to P2Pinfect that introduces a ransomware and crypto miner payload.
P2Pinfect is still a highly ubiquitous malware that has spread to many servers. Its latest updates to the crypto miner, ransomware payload, and rootkit elements demonstrate the malware author’s continued efforts to profit off their illicit access and spread the network further as it continues to worm across the internet.
The choice of a ransomware payload for malware primarily targeting a server that stores ephemeral in-memory data is an odd one, and P2Pinfect will likely see far more profit from their miner than their ransomware due to the limited amount of low-value files it can access due to its permission level.
Cado Security can determine the command to start the ransomware was issued on May 16, 2024, and will continue to be active until December 17, 2024.
You can read the details here.
Related
This entry was posted on June 25, 2024 at 9:00 am and is filed under Commentary with tags Cado Security. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
P2Pinfect Evolves to Deploy Ransomware
Upon initial discovery, a reasonably sophisticated malware sample that uses a peer-to-peer (P2P) botnet for its command and control mechanism, P2Pinfect, a rust-based malware covered extensively by Cado Security in the past, mainly appeared dormant.
It would spread primarily via Redis and a limited SSH spreader, but ultimately did not have an objective other than to spread. Recently, Cado Security has observed a new update to P2Pinfect that introduces a ransomware and crypto miner payload.
P2Pinfect is still a highly ubiquitous malware that has spread to many servers. Its latest updates to the crypto miner, ransomware payload, and rootkit elements demonstrate the malware author’s continued efforts to profit off their illicit access and spread the network further as it continues to worm across the internet.
The choice of a ransomware payload for malware primarily targeting a server that stores ephemeral in-memory data is an odd one, and P2Pinfect will likely see far more profit from their miner than their ransomware due to the limited amount of low-value files it can access due to its permission level.
Cado Security can determine the command to start the ransomware was issued on May 16, 2024, and will continue to be active until December 17, 2024.
You can read the details here.
Share this:
Like this:
Related
This entry was posted on June 25, 2024 at 9:00 am and is filed under Commentary with tags Cado Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.