From Dormant to Dangerous: P2Pinfect Evolves to Deploy New Ransomware and Cryptominer

June 27, 2024, 9:26 a.m.

Description

P2Pinfect is a sophisticated malware that utilizes a peer-to-peer botnet for command and control. Initially appearing dormant, it has evolved to deploy ransomware and cryptominer payloads. The malware spreads via exploiting Redis and limited SSH capabilities. A recent update introduced a new ransomware payload that encrypts files with specific extensions, while a cryptominer targets system resources. Additionally, a usermode rootkit component aims to hide malicious processes, albeit with limitations regarding initial access permissions.

External References

https://www.cadosecurity.com/blog/from-dormant-to-dangerous-p2pinfect-evolves-to-deploy-new-ransomware-and-cryptominer
https://otx.alienvault.com/pulse/667d1f7eba160deac4b306c6
Tags
ransomware
rootkit
worm
cryptominer
2024-06-27
p2pinfect
rsagen

Date

  • Created: June 27, 2024, 8:14 a.m.
  • Published: June 27, 2024, 8:14 a.m.
  • Modified: June 27, 2024, 9:26 a.m.

Indicators

  • 9b74bfec39e2fcd8dd6dda6c02e1f1f8e64c10da2e06b6e09ccbe6234a828acb
  • 8a29238ef597df9c34411e3524109546894b3cca67c2690f63c4fb53a433f4e3
  • 4f949750575d7970c20e009da115171d28f1c96b8b6a6e2623580fa8be1753d9
  • 2c8a37285804151fb727ee0ddc63e4aec54d9460b8b23505557467284f953e4b
  • 129.144.180.26
  • 88.198.117.174
  • 195.201.97.156
  • 159.69.83.232
  • http://88.198.117.174:19999
  • http://195.201.97.156:19999
  • http://159.69.83.232:19999
  • http://129.144.180.26:60107/dl/rsagen
  • http://129.144.180.26:60107
  • randbnothing@tutanota.com
  • besttrcovery@firemail.cc
Download all indicators here!

Attack Patterns

  • rsagen
  • P2Pinfect