‘Worm-like’ botnet malware targeting popular Redis storage tool

An unknown group of hackers is using a novel strain of malware to attack publicly accessible deployments of Redis — a popular data storage tool used by major companies like Amazon, Hulu and Tinder.

Researchers from Cado Security Labs explained that what stood out most was the fact that the malware appears to be a worm — a subset of malware that can propagate or self-replicate from one computer to another without human activation after breaching a system.

The researchers said they recently encountered the malware, which they labeled “P2Pinfect,” and were alarmed at its ability to self-propagate and spread itself to other vulnerable Redis deployments. The report does not name specific victims of the malware, and Cado Security said it is unclear what the botnet's purpose is.

The hacking campaign was initially analyzed by Palo Alto’s Unit 42 in a report on July 19, which found the malware exploiting CVE-2022-0543 to take over Redis applications and add them to a botnet — a group of computers that have been infected in a way that allows a hacker to control them all.

That vulnerability was used to take over devices and add them to the Muhstik botnet in 2022, but it appears P2PInfect is part of a different malicious network and is not related to Muhstik, Unit 42 said.

The report from Cado Security mirrors much of what was found by Unit 42, including that the malware is written in the Rust programming language and tries to infect other hosts once it connects one to the botnet.

But Cado Security found two key differences. One was the method of entry: The malware sample found by the researchers did not use CVE-2022-0543 as the initial access vector. And another difference was that P2Pinfect targeted both Windows and Linux Redis instances.

Both security companies said the use of the Rust programming language made it easier for the malware to be used on both Windows and Linux platforms while also making it difficult for researchers to analyze the code.

“It's not clear who is behind this or their ultimate goal. A file named 'miner' is being pulled by compromised systems however it doesn't perform crypto mining tasks,” a Cado Security spokesperson told Recorded Future News. “This could be a placeholder for a crypto miner ready for when the threat actor wants to distribute it.”

Unit 42 similarly found the word “miner” throughout P2PInfect’s malicious toolkit but also did not see “any definitive evidence that cryptomining operations ever occurred.”

307,000 unique Redis systems

Cado Security researchers saw multiple Redis exploits used to gain initial access. The experts warned that the malware conducts internet scans for vulnerable Redis servers and self replicates in a “worm-like” manner.

“The malware compromises exposed instances of the Redis data store by exploiting the replication feature. Replication allows instances of Redis to be run in a distributed manner, in what’s referred to as a leader/follower topology,” the researchers said in a report.

“This allows follower nodes to act as exact replicas of the leader, providing high availability and failover for the data store. A common attack pattern against Redis in cloud environments is to exploit this feature using a malicious instance to enable replication.”

Cado has seen this initial access method used since 2018 in other attacks involving cloud malware campaigns — including H2miner and Headcrab.

Unit 42 said it identified more than 307,000 unique Redis systems communicating publicly over the last two weeks, “of which 934 may be vulnerable to this P2P worm variant.” Most are not vulnerable but Unit 42 said it was likely the worm would still attempt to compromise them.

Unit 42 said the malware was found in multiple geographic regions and the number of infected hosts is growing. The researchers said they did not have an estimate of how large the botnet had become.

The malware, according to Cado Security, allows the hackers to prevent other threat actors from compromising the Redis server while also allowing it to continue operating legitimately so the owners do not suspect something is wrong.

Once the malware is used, the infected server becomes a node in a peer-to-peer botnet.

“This allows the entire botnet to gossip with each other without using a centralised C2 server. It is assumed that commands are issued by propagating signed messages across the network,” the researchers said.

The malware will try to infect more hosts by gathering a list of users, IP addresses and access keys for the SSH network communication protocol.

“Once access is gained to a host, it infects it in the same way the initial compromised server was, by dropping a copy of itself (fetched from the built in HTTP server) and executing it with a nodelist as an argument,” they said.