In a concerning development, the once-harmless Linux botnet known as "P2PInfect" has undergone significant updates that include a range of malicious components. This botnet, which initially flew under the radar, has recently been found to possess a rootkit, cryptominer, and even ransomware, leaving organizations vulnerable to potential cyberattacks.

Cado Security, a cybersecurity firm, recently reported that a global update has been propagated across P2PInfect infections, equipping the botnet with dangerous new capabilities. The botnet, named for its use of the Redis in-memory database application to spread through networks in a worm-like manner, has transformed into a far more dangerous entity.

While P2PInfect was initially observed over a year ago, it had been largely inactive, causing little real damage. However, the latest update indicates a significant shift in its purpose and potential impact. Al Carchrie, R&D lead solutions engineer at Cado Security, expressed surprise at the botnet's transformation, stating, "It wasn't until the last couple of weeks that we saw there had been changes - it seems to have grown arms and legs."

Researchers discovered that P2PInfect targeted misconfigured Redis-integrated servers accessible from the Internet. Exploiting Redis' leader-follower topology, the malware spread itself between nodes across networks, allowing for potential command-and-control (C2) operations and future malware distribution. At the time, the botnet appeared to be laying the groundwork, seemingly planning for a more widespread and effective attack.

The recent updates to P2PInfect have introduced a usermode rootkit, activated its "miner" binary, and added a new ransomware component. Utilizing its victims' computing power, the botnet has managed to mine approximately 71 Monero coins (equivalent to around £10,000). The presence of the ransomware component, which targets various file types such as .xls, .py, and .sql, raises concern. However, given that Redis does not save data to disk by default, it is unclear what the ransomware is intended to target.

Carchrie revealed that P2PInfect infections appear to be most concentrated in East Asia, urging organizations to better protect their servers from external threats. It is crucial to ensure servers are only exposed to trusted users, behind firewalls, and properly configured. Fortunately, with the recent malicious upgrades, traces of P2PInfect's activity should become more apparent, especially as high CPU usage from cryptomining and increased disk utilization from the ransomware become evident.

As P2PInfect continues to evolve with more destructive features, it is essential for organizations to remain vigilant, strengthening their defenses against potential cyber threats. Proactive security measures, continuous monitoring, and regular updates are fundamental in mitigating the risk posed by these evolving botnets.