P2PInfect Worm Grows Teeth With Miner, Ransomware & Rootkit

For a while, the botnet spread but did essentially nothing. All the malicious payloads came well after.

A previously harmless Linux botnet has been updated to include a suite of malicious and exploitative components.
The unimaginatively named P2PInfect is a worm that leverages the Redis in-memory database application to spread across networks in a peer-to-peer, worm-like manner, creating a botnet along the way. By the time it was
first discovered about a year ago
, it had yet to cause anyone any real damage — a fact which it used to stealthy effect, by creating very little ruckus in newly infected networks.
This is not the case anymore. According to Cado Security,
an update has been propagated
across P2PInfect infections globally which includes a brand new rootkit, cryptominer, and even ransomware.
Last year we were sitting there, scratching our heads, going: Why?, Al Carchrie, R&D lead solutions engineer at Cado Security, recalls about seeing the innocuous botnet for the first time. It wasnt until the last couple of weeks that we saw there had been changes — it seems to have grown arms and legs.
On first impression, researchers observed a few things about P2PInfect that they could explain, and a few they couldnt.
First, the known: P2PInfect
targeted misconfigured Redis-integrated servers
accessible from the Internet. With such an inroad into a network, the malware took advantage of Redis leader-follower topology, in which a designated leader node handles the primary copy of some data, and spreads exact copies to a network of follower nodes. The program used this mechanism to spread itself between Redis nodes across networks.
This seemed to be a good way to establish command-and-control (C2) and potentially spread second-stage malware. At the time, though, this quasi botnet wasnt being used for much at all.
Researchers did note, though, that the word miner popped up in P2PInfects code — a potential indication of what was to come, perhaps, but nothing more.
Our best estimate was that they were trying to do an initial spread as a botnet, probably to get a significant mass, so that when their plan came into action, it would then be more effective because theyll have a significant number of hosts, Carchrie says.
That prediction has now come to fruition.
P2PInfect has been updated with a usermode rootkit, and its miner binary has been activated. In the time since, the malware has leveraged its victims to mine around 71 Monero coins, equivalent to around £10,000.
Interesting, too, is a new ransomware component targeting a variety of file types including .xls, .py, .sql, and more. Though scary in theory, this aspect of P2PInfect seems to have been thought through the least.
For one thing, the ransomware looks for specific file extensions, but Linux does not necessarily require that files have extensions to begin with.
More to the point: Redis doesnt save any data to disk by default—its whole value proposition surrounds storage in-memory. It
can
be configured to save data to files, but the extension for these files—.rdb—is not among those sought by the ransomware. With that in mind, Cado wrote, its unclear what the ransomware is actually designed to ransom.
From Carchries vantage point, P2PInfect infections appear to be most concentrated in East Asia.
Redis is commonly used in businesses across the globe, though. Its open source version has
more than four billion Docker pulls
, and nearly 10,000 organizations use its Enterprise product, including British Airways and MGM Resorts.
So, he warns, organizations have to watch that their servers are properly protected from outside threats — only exposed to trusted users, behind firewalls, properly configured, etc.
And while its not so easy to spot totally dormant malware, now that P2PInfect is revved up, it should be leaving behind plenty of easily detectable artifacts. The cryptomining is going to drain as much CPU as possible, and the ransomware will go after files on disks, so disk utilization then starts to spike as well. Youll be looking for indications of those, he says.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
P2PInfect Worm Grows Teeth With Miner, Ransomware & Rootkit