HQ/EMEAFind out how we can help your business
The inactive peer-to-peer botnet called P2PInfect broke its silence after launching a novel ransomware module and a cryptominer to target REdis servers.
According to reports, the campaign started last month, and the P2PInfect-affected devices received a command to download and run a ransomware payload called rsagen from a particular URL. Moreover, the command was valid until December 17, 2024.
The ransomware module has also reviewed the compromised device to see if it already has a ransom letter that states, “Your data has been locked!.txt” to prevent the infected systems from re-encryption.
Additionally, the ransomware targets files with certain extensions associated with documents (DOC, XLS), databases (SQL, SQLITE3, DB), and media files (MP3, WAV, MKV) and appends the ‘.encrypted’ extension to the seized files.
The ransomware scans all directories, encrypts files, and saves a database of encrypted files in a temporary file with the ‘.lockedfiles’ extension.
However, the ransomware module’s capabilities are restricted by its privilege level, which is only that of the compromised REdis user and the files accessible to them. Hence, the encryption is only limited to configuration files as REdis is frequently deployed in memory.
Aside from the P2PInfect ransomware module, a dormant cryptominer has also resurfaced.
The XMR (Monero) miner that was on hiatus prior to new iterations has now been enabled, moved to a temporary directory, and launched five minutes after the principal payload has begun.
The pre-configured wallet and mining pool in the samples have generated 71 XMR, or around $10,000, so far, although the researchers believe the operators employ additional wallet addresses.
The new P2PInfect has a unique feature in that the miner is set to use all available processing power, which frequently interferes with the ransomware module’s functionality.
There is also a new user-mode rootkit that allows P2PInfect bots to conceal their malicious processes and files from security programs by hijacking several processes.
Though the rootkit can theoretically hide file operations, data access events, and network connections, the REdis in-memory implementation once again inhibits its usefulness.
Researchers have yet to conclude whether P2PInfect is rented to several cybercriminals or operated by a core team since evidence surrounding the botnet is insufficient. However, one thing is certain: the P2PInfect is no longer an experiment but rather a legitimate threat to REdis servers.
