However, the MIPS variant has a number of common username and password combinations hardcoded into its binary and uses them to conduct a brute-force attack on servers identified during scanning. Although the deployment of Redis on embedded devices is not popular, the package is available in OpenWRT, a popular open-source firmware for routers, so the worm’s Redis-specific attack vectors might also work on such devices.
The MIPS binary also has an embedded Windows DLL that can act as a malicious loadable module for Redis and implements a functionality called system.exec. This functionality allows attackers to execute shell commands on a compromised host.
“This is consistent with the previous examples of P2Pinfect, and demonstrates that the intention is to utilise MIPS devices for the Redis-specific initial access attack patterns,” the Cado researchers said.
The worm has some improved detection evasion capabilities
The MIPS variant also uses some new techniques that are meant to make its execution inside honeypot and other malware analysis virtual machines harder. First, when executed, the binary makes a system call to disable core dump functionality in Linux.
Core dumps are essentially dumps of the RAM contents and can help in post-compromise forensics investigations since they will contain the information processes had stored in the running memory. P2Pinfect uses a custom peer-to-peer communications protocol dubbed BotnetConf, so a core dumb could reveal information about IP addresses and connected peers.
“It’s also possible that the sample prevents core dumps from being created to protect the availability of the MIPS device itself,” the researchers said. “Low-powered embedded devices are unlikely to have lots of local storage available to them and core dumps could quickly fill what little storage they do have, affecting performance of the device itself.”