SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.p2pinfect (Back to overview)

P2Pinfect

P2Pinfect is a fast-growing multi platform botnet, the purpose of which is still unknown. Written in Rust, it is compatible with Windows and Linux, including a MIPS variant for Linux based routers and IoT devices. It is capable of brute forcing SSH logins and exploiting Redis servers in order to propagate itself both to random IPs on the internet and to hosts it can find references to in files present on the infected system.

References
2024-01-16NOZOMI Network LabsNozomi Networks Labs
P2PInfect Worm Evolves to Target a New Platform
P2Pinfect
2023-12-04Cado SecurityMatt Muir
P2Pinfect - New Variant Targets MIPS Devices
P2Pinfect
2023-09-20Cado SecurityMatt Muir
Cado Security Labs Researchers Witness a 600X Increase in P2Pinfect Traffic
P2Pinfect
2023-07-31Cado SecurityMatt Muir, Nate Bill
Cado Security Labs Encounter Novel Malware, Redis P2Pinfect
P2Pinfect
2023-07-19Palo Alto Networks Unit 42Nathaniel Quist, Nelson William Gamazo Sanchez, Unit 42
P2PInfect: The Rusty Peer-to-Peer Self-Replicating Worm
P2Pinfect
Yara Rules
[TLP:WHITE] elf_p2pinfect_w0 (20231213 | Detects P2Pinfect worm on Linux)
rule elf_p2pinfect_w0 { 
    meta: 
        description = "Detects P2Pinfect worm on Linux" 
        author = "nbill@cadosecurity.com" 
        license = "Apache License 2.0" 
        date = "2023-07-28" 
        hash1 = "87a3fc1088449dbd3554fe029a1878a525e64ab4ccf71b23edb03619ba94403a" 
        hash2 = "ce047893ac5bd2100db3448bd62c324e471ffcddd48433788bfe885e5f071a89" 
        hash3 = "b1fab9d92a29ca7e8c0b0c4c45f759adf69b7387da9aebb1d1e90ea9ab7de76c" 
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.p2pinfect"
        malpedia_rule_date = "20231213"
        malpedia_hash = ""
        malpedia_version = "20231213"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings: 
        $magic = { 7f 45 4c 46 } 
        $a1 = "p2pinfect" 
        $a2 = "p2pmod" 
        $b1 = { 48 8D 35 C2 13 22 00 6A 19 5A 4C 89 FF E8 A3 EF 17 00 48 8D 35 C9 13 22 00 6A 1E 5A 4C 89 FF E8 91 EF 17 00 48 8D 35 D5 13 22 00 6A 0E 5A 4C 89 FF E8 7F EF 17 00 48 8D 35 D1 13 22 00 6A 0F 5A 4C 89 FF E8 6D EF 17 00 48 8D 35 81 A5 21 00 4C 89 FF 4C 89 F2 E8 5B EF 17 00 } 
        $b2 = { 48 83 E4 80 48 81 EC 80 0F 00 00 48 C7 04 24 00 00 00 00 48 81 EC 00 05 00 00 49 89 D0 49 89 F5 48 89 BC 24 88 00 00 00 0F B6 86 20 08 00 00 48 8D 0D A3 4D 18 00 48 63 04 81 48 01 C8 6A 01 5E 6A 02 41 5F 4C 89 6C 24 48 48 89 94 24 90 00 00 00 FF E0 } 
        $b3 = { 4C 89 F7 49 89 D8 E8 10 BB 00 00 49 83 66 68 00 49 C7 46 70 0A 00 00 00 66 41 C7 46 78 01 00 6A 10 59 48 8D 84 24 50 04 00 00 48 89 C7 4C 89 F6 F3 48 A5 48 89 C7 E8 FA 76 01 00 } 
        $b4 = { 48 8B 3D 0F 3F 06 00 48 8B 35 10 3F 06 00 E8 20 8E 04 00 49 8B 46 10 48 89 05 08 3F 06 00 41 0F 10 06 0F 11 05 ED 3E 06 00 48 8D 35 A4 D0 FF FF 6A 0F 5F FF 15 25 3D 06 00 48 83 F8 FF 75 06 } 
        $b5 = { 49 29 F7 4C 89 F7 4C 89 FA FF 15 DB 92 21 00 48 8B 84 24 40 02 00 00 4C 01 E0 48 8B 8C 24 98 02 00 00 48 89 01 48 8B 84 24 80 00 00 00 48 89 28 48 8B BC 24 68 01 00 00 48 8D 77 10 48 8B 84 24 48 02 00 00 48 F7 D0 48 8B 94 24 50 02 00 00 48 01 C2 48 C1 E2 04 FF 15 FE 92 21 00 4C 8B A4 24 10 01 00 00 49 83 FC 01 4C 8B 3C 24 48 8B B4 24 38 01 00 00 0F 86 C0 02 00 00 } 
    condition: 
        $magic at 0 and (all of ($a*) or any of ($b*)) 
}
Download all Yara Rules