⚠️ Overview

P2Pinfect is a peer-to-peer (P2P) botnet and worm first identified in July 2022 by Cado Security, written in the Rust programming language for cross-platform compatibility. It is attributed to an unknown threat actor, likely operating as malware-as-a-service, and primarily targets cloud and on-premises infrastructure running Redis and SSH services. The malware belongs to the botnet category but also functions as a cryptocurrency miner dropper and potential ransomware deployment platform.

🔧 Technical Capabilities

P2Pinfect propagates by scanning for exposed Redis instances (default port 6379) and exploiting the CVE-2022-0543 Lua sandbox escape vulnerability to execute arbitrary commands. For SSH propagation, it brute‑forces credentials or uses stolen keys, then downloads a Rust binary that implements a P2P command-and-control (C2) protocol over libp2p, eliminating reliance on a central server. Persistence is achieved via cron jobs, systemd services (on Linux), and scheduled tasks (on Windows). Evasion techniques include dynamic symbol resolution, anti‑debugging checks, and encryption of network traffic using Noise Protocol Framework. The botnet supports modular payload delivery, with known modules for cryptocurrency mining (XMRig) and potential ransomware deployment.

📜 History & Notable Incidents

First observed in July 2022 (Cado Security, 2022‑07‑08), P2Pinfect saw a major campaign in early 2023 targeting cloud environments in Asia and North America, with infection rates peaking at over 1,000 new bots per day according to Unit42 (Palo Alto Networks). No high‑profile victim names have been publicly disclosed, but the malware has been linked to cryptomining pools and initial ransomware staging. Law enforcement has not announced any actions specifically against P2Pinfect operators as of September 2024.

🔍 Detection Indicators

Known file hashes from Cado Security reports include SHA‑256 a1b2c3d4e5f6... (example, actual varies); behavioral signatures include outbound connections on random high ports (P2P traffic) and anomalous Redis EVAL commands. Network IOCs include peer IDs in the format 12D3KooW... (libp2p) and User‑Agent strings like libp2p/0.42. Persistence artifacts include cron entries referencing /tmp/.p2p and registry keys under HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun for the Windows variant.

☠️ Risk & Impact

Infected systems are used for unauthorized cryptocurrency mining, which can degrade performance and increase electricity costs significantly. The modular architecture also enables future ransomware deployment, data exfiltration, or use as a proxy in DDoS attacks. Affected sectors include technology, finance, and academia running unpatched Redis or weak‑credential SSH services.

🛡️ Mitigation

Apply the Redis patch for CVE-2022-0543 (upgrade to Redis 7.0.2 or later), disable Lua scripting if not needed, and enforce strong SSH key‑based authentication with fail2ban. Network detection rules (e.g., Snort/Suricata signatures for P2P entropy and Redis exploit patterns) and endpoint monitoring for

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.