The Mushtik Gang was the first threat group that took advantage of the Redis Lua Sandbox Escape and Remote Code Execution Vulnerability, also known as “CVE-2022-0543,” in March 2022.¹ Since then, many attackers² have exploited the bug to get to their intended targets.

P2PInfect, a self-replicating peer-to-peer (P2P) worm, is just the latest tool a threat group used. Seven indicators of compromise (IoCs) have been made public in July.³

To uncover yet-unidentified Redis attack-connected artifacts, WhoisXML API expanded the list of published IoCs aided by exhaustive DNS intelligence.

Our DNS deep dive uncovered:

• Six domains containing the string worldive akin to one of the domains identified as P2PInfect IoCs
• 10,000+ domains containing the string redis, 20 of which have been classified as malicious by a bulk malware check
• 10,000+ subdomains containing the string redis, six of which turned out to be malicious according to a bulk malware check

Download a sample of the threat research materials now or contact us to access the complete set of research materials.

—

• [1] https://cymulate.com/threats/muhstik-gang-targets-redis-servers-2/
• [2] https://securityaffairs.com/139164/malware/redigo-malware-targets-redis-servers.html
• [3] https://unit42.paloaltonetworks.com/peer-to-peer-worm-p2pinfect/#post-129197-_3s6epx4aqq4d