The InterPlanetary File System (IPFS), considered one of the building blocks of web3, is increasingly being used to provide hidden bulletproof hosting for malware.
“Multiple malware families are currently being hosted within IPFS and retrieved during the initial stages of malware attacks,” say researchers at Cisco Talos.
IPFS is a distributed file system where access is facilitated by content rather than physical location. The target file’s URL is a hash of the content, not a definition of the server’s location. Files are entered into the system and then automatically copied to multiple nodes. The physical location of the nodes is unknown to the user since the file is retrieved by the content hash rather than the IP address. The relationship between node and hash is maintained by IPFS gateways – the whole purpose is to create and maintain legitimate resilient, decentralized and uncensored access to internet content.
“While these technologies have legitimate uses in a variety of practical applications, they also create opportunities for adversaries to take advantage of them within their phishing and malware distribution campaigns,” says Talos in its latest Threat Spotlight.
“As an attacker,” Talos told SecurityWeek, “you will typically install an IPFS client on a system under your control.” This could be a computer you own, a compromised host or an anonymized virtual private server. “You publish the file to the IPFS network, and you effectively and automatically make local content available to multiple other nodes within the IPFS network.”
You can then disengage the initial computer, and yet the file lives on within IPFS at locations known only to the hash tables used by the IPFS gateways. Resilience is maintained, there is no single point of failure, and the target does not have to be part of IPFS.
The attraction for attackers is clear: they have no cost associated with malware storage, and their IPFS ‘servers’ cannot be taken down in the same way as traditional IP malware servers can be taken down.
To be clear, the process of an attack is unchanged. Targets still need to be directed to the IPFS file, which is likely to be malware or a phishing page. This will continue to be primarily through malicious links or weaponized attachments. A particularly savvy user could recognize an IPFS URL in an email (it just appears to be a random series of characters) and decline to click – but we know empirically that users tend not to look closely at links, being easily swayed by the social engineering context around the link.
“For now,” Talos told SecurityWeek, “if you’re an organization that has no association with web3, and you’re not dealing with NFTs, I would recommend simply blocking access to all the IPFS gateways because there’s a maintained list of them. That would provide quite a bit of mitigation to this.”
But this is no long-term solution. As web3 evolves and grows, and NFT/blockchain applications become more pervasive on IPFS, it is unlikely that many users will be able to disengage from the process.
Any form of local or IPFS gateway block on malicious files will be difficult. While malicious IPFS URLs may be recognized and individually blocked, the process will be similar to using traditional signatures to block malware. The attacker need only change a few characters in the file and a new hash signature will be created – creating a new IPFS file that will be redistributed to different nodes.
The Talos report describes several different attacks the researchers have discovered within IPFS. One example appears to be a PDF associated with DocuSign. If the victim clicks on ‘review document’, he or she is redirected to a page that appears to be a Microsoft authentication page but is a phishing page hosted on the IPFS network. Any data collected is sent to the attacker through an HTTP POST request to an attacker-controlled web server for use in further attacks.
Another example is an Agent Tesla malspam campaign using IPFS throughout the infection process to eventually deliver a malware payload.
To be clear, the use of IPFS does not require new malware. It is primarily a growing hosting and delivery mechanism. It offers the attacker resilient hosting and makes it difficult if not impossible for defenders to block malicious links. Defense against delivered malware remains the same with defenders even more reliant on malware detection and response.
Attackers are likely to increase the use of IPFS-hosted malware because of its simple, free and resilient hosting capabilities. Whether this will lead to any dramatic increase in the volume of attacks remains to be seen.
Related: Securing the Metaverse and Web3