October 3, 2023

Researchers have discovered a peer-to-peer worm dubbed P2PInfect targeting the open-source database application Redis that was being used in cloud environments using a vulnerability tracked as CVE-2022-0543.

Out of 307,000 unique Redis systems, only 934 instances may be vulnerable. The worm may knock on the door of all of them in an attempt to compromise the systems.

The P2PInfect worm attempts to exploit CVE-2022-0543, a critical vulnerability that allows for a Lua sandbox escape, which could lead to remote code execution. This worm has also been observed infecting Redis servers on both Linux and Windows operating systems, making it “more scalable and potent than other worms


After exploitation of CVE-2022-0543 to gain initial access, it deploys a payload to establish communication with a P2P network. Once this communication channel is established, which acts as a C2 botnet network as well, malicious binaries and scripts are pulled down to do some enumeration of the host. It is thought that this is only the first stage of a larger attack, with instances of the word “miner” in the P2PInfect binaries.

This campaign has not been tied to any groups that are known for targeting Redis instances or doing worm-like operations. Therefore, this may be an entirely new threat actor or otherwise malicious hacking group emerging. The researchers also note that this malware is “well designed with several modern development choices,” including the use of the Rust programming language allowing for “resilient capabilities and the flexibility to allow the worm to rapidly spread across multiple operating systems.”

Organizations monitor all Redis applications, both on-premises and within cloud environments, to ensure they do not contain random filenames within the /tmp directory. Additionally, DevOps personnel should continually monitor their Redis instances to ensure they maintain legitimate operations and maintain network access.


To prevent this attack from affecting your Redis instance, you should ensure that Redis is updated to the latest version, or, at the very least, newer than

  • redis/5:6.0.16-1+deb11u2
  • redis/5:5.0.14-1+deb10u2
  • redis/5:6.0.16-2 and redis/5:7.0~rc2-2

This research was documented by researchers from Palo Alto Unit 42.

Indicators of Compromise


  • 88601359222a47671ea6f010a670a35347214d8592bceaf9d2e8d1b303fe26d7


  • b1fab9d92a29ca7e8c0b0c4c45f759adf69b7387da9aebb1d1e90ea9ab7de76c


  • 68eaccf15a96fdc9a4961daffec5e42878b5924c3c72d6e7d7a9b143ba2bbfa9


  • 89be7d1d2526c22f127c9351c0b9eafccd811e617939e029b757db66dadc8f93


  • 35.183.81[.]182
  • 66.154.127[.]38
  • 66.154.127[.]39
  • 8.218.44[.]75
  • 97.107.96[.]14

CNC Requests

  • GET /linux
  • GET /linux_sign
  • GET /miner
  • GET /miner_sigg
  • GET /winminer
  • GET /winminer_sign
  • GET /windows_sign
  • GET /windows

Leave a Reply

%d bloggers like this: