One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8526719 |
| Date de publication | 2024-06-27 17:17:13 (vue: 2024-06-27 18:07:57) |
| Titre | P2pinfect malware évolue, ajoute des capacités de ransomware et de cryptomiminage P2Pinfect Malware Evolves, Adds Ransomware and Cryptomining Capabilities |
| Texte | ## Snapshot Cado Security researchers report new versions of rust-based malware P2Pinfect. ## Description The malware initially spread via Redis and a limited SSH spreader, with no clear objective other than spreading. P2Pinfect gains initial access by exploiting the replication features in Redis, turning discovered open Redis nodes into follower nodes of the attacker server. It also abuses Redis config commands to write a cron job to the cron directory. The main payload of P2Pinfect is a worm that scans the internet for more servers to infect and features a basic SSH password sprayer. The botnet, a notable feature of P2Pinfect, acts as a peer-to-peer network for pushing out updated binaries. The main binary of P2Pinfect has undergone a rewrite, now entirely written using tokio, an async framework for rust, and packed with UPX. Additionally, the malware now drops a secondary binary at /tmp/bash for health checking. The miner payload embedded in P2Pinfect becomes active after approximately five minutes, and the ransomware payload, called rsagen, is downloaded and executed upon joining the botnet. The ransomware encrypts files and appends .encrypted to the end of the file name, with a ransom note titled "Your data has been locked!.txt". The attacker has made around 71 XMR, equivalent to roughly £9,660, but the mining pool only shows 1 worker active at 22 KH/s, suggesting another wallet address may be in use. The command to start the ransomware was issued directly by the malware operator, and the download server may be an attacker-controlled server used to host additional payloads. P2Pinfect also includes a usermode rootkit that hides specific information and bypasses checks when a specific environment variable is set. There is speculation that P2Pinfect may be a botnet for hire, as evidenced by the delivery of the ransomware payload from a fixed URL and the separation of the miner and ransomware wallet addresses. However, the distribution of rsagen could also be evidence of initial access brokerage. Overall, P2Pinfect continues to evolve with updated payloads and defensive features, demonstrating the malware author\'s ongoing efforts to profit from illicit access and further spread the network. The ransomware\'s impact is limited due to its initial access vector being Redis, which has restricted permissions and limited data storage capabilities. ## Recommendations # Recommendations to protect against RaaS Microsoft recommends the following mitigations to reduce the impact of RaaS threats. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants. - Turn on [tamper protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?ocid=magicti_ta_learndoc) features to prevent attackers from stopping security services. - Run [endpoint detection and response (EDR) in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?ocid=magicti_ta_learndoc) , so that Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn\'t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts detected post-breach. - Enable [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?ocid=magicti_ta_learndoc) in full automated mode to allow Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - Microsoft Defender customers |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | £9 *az /tmp/bash 2024 365 365/security/defender 660 abuse abused abuses access access/overview accessed accounts across action active activities activity acts additional additionally address addresses addresses* addresses: adds admin advanced after against age agents alert alerts allocated allow also anomalies: anomalous anomaly another antivirus appends applicable apply approximately are around artifacts async attack attacker attackers attacks attacks: attacks authentication author automated azure based basic becomes been behavior behaviors behind being binaries binary block blocking botnet breach breaches broadly brokerage but bypasses cado cadosecurity called can capabilities certain changes checking checks classes clear cli cloud cloud/recommendations com/azure/active com/azure/defender com/blog/from com/cli/azure/vm com/microsoft command commands common commonly compatibility compliance comprehensive conditional config configure considered continues contributor controlled core correlate could cover creations criterion cron cryptojacking cryptominer cryptominer#new cryptomining customer customers dangerous dangerous: data defender defensive delivered delivery demonstrating deploy description detect detected detecting detection detections device directly directory directory/authentication/tutorial directory/conditional directory/privileged discourage discovered distinct distribution doesn dormant download downloaded drops due edr effective efforts elevated embedded employ enable enable encrypted encrypts end endpoint endpoint/attack endpoint/automated endpoint/configure endpoint/edr endpoint/prevent ensure entire entirely environment equivalent especially even every evidence evidenced evolve evolves evolving excessive executable executed experience exploiting external factor feature features file files first five fixed focusing follower following found framework from full further gains guide has health help hides high hire host however https://learn https://www huge identify identifying identity illicit immediate impact implement includes increase increases increases: indicate infect information initial initially internet investigation investigations in issued issues its job joining kh/s lateral latest#az learndoc learndoc#block learndoc#use learning limited limiting list locations locked login machine made main majority malicious malware management management/pim may meet methods mfa mfa: microsoft miner mining minutes mitigate mitigations mode monitor more movement multi multifactor multiple name network new nodes non notable note now objective ocid=magicti of ongoing only on open operator organizations originating other out overall p2pinfect packed particularly passive password patterns payload payloads peer performed permissions policies policies: pool post prevalence prevent privileged privileges process product profit protect protection protections proxy psexec pushing quota raas ransom ransomware rapidly rarely reauthentication recommendations recommends redis reduce reducing reduction reference references refined regions remediate remediation replication report researchers resolve resource resources response restricted reuse rewrite risk risky roles roles: rootkit roughly rsagen rule rules running run rust scans scenes scores secondary security separate separation server servers services set settings should shows sight sign significantly situation snapshot some specific speculation sprayer spread spreader spreading ssh stage: standard start stopping storage subsequent such suggesting surface suspicious sweeping systems tab take tamper tasks techniques tenant than threat threats titled tokio tools trusted turn turning txt types undergone unexpected unique unknown unless unusual updated updates upon upx url usage use used user usermode users using utilize variable variants vector versions view=azure virtual volume wallet watch when which within wmi worker works worm write written xmr your features in to command or |
| Tags | Ransomware Malware Tool Threat Cloud |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.