Virtual Event Today: Cloud & Data Security Summit - Join Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New Malware Lays P2P Network on Top of IPFS’

A newly discovered piece of malware uses a peer-to-peer (p2p) network on top of InterPlanetary File System’s (IPFS) p2p network, Anomali’s security researchers report. 

A newly discovered piece of malware uses a peer-to-peer (p2p) network on top of InterPlanetary File System’s (IPFS) p2p network, Anomali’s security researchers report. 

Discovered in May 2019 and dubbed IPStorm, the malware is written in the Go (Golang) programming language and targets Windows machines. Once it has infected a system, the malicious program allows its operator to execute arbitrary PowerShell code. 

The use of a p2p network for communication ensures not only that the generated traffic blends into the legitimate traffic, but also that the infected machines don’t need to maintain a constant connection to the command and control (C&C) server. 

Being connected directly to each other via a p2p network, the machines form a p2p botnet, where commands propagate from one bot to another. A p2p botnet is more difficult to implement, as the attacker needs to ensure bots can communicate with each other at all times, even when behind a NAT, but are more difficult to detect, especially with the increased use of p2p in corporate environments. 

The newly discovered botnet leverages IPFS, a p2p filesystem project that aims to decentralize the Internet to improve it. The filesystem can be used to host a broad range of files that can be accessed via a client or public gateways. 

IPFS’ network code has been released in open source as “libp2p,” a modular network stack that includes support for bootstrapping, NAT-traversal, relays, peer discovery, and pubsub functionality. The library can be used to build a p2p network by providing bootstrapping nodes and also includes IPFS’ bootstrapping nodes, which can be used to layer the new p2p network on top of IPFS’. 

Advertisement. Scroll to continue reading.

This is exactly what the IPStorm (InterPlanetary Storm) malware does, making it difficult to determine which machines are infected and which are legitimate IPFS peers, Anomali reveals. Written in Go, it appears to have been developed on a macOS machine, is large, with the unpacked binary at around 15 MB in size, but is split into multiple packages. 

The threat also includes simple antivirus (AV) evasion techniques, such as sleeps, memory allocations, and generation of random numbers. The malware uses third-party package “single” to ensure only one instance is running. It also adds a rule to the firewall, to make sure it can connect to the p2p network. 

The malware supports the download and upload of files, which are sent over the PubSub network. Reverse shell (called “backshell” by the author) functionality is also included, allowing the actor to execute any arbitrary PowerShell code on the infected machine. 

Based on the analyzed tree structure, Anomali suggests that the malware can either be compiled for other operating systems than Windows, or that the actor is in the process of building versions for other operating systems. 

To date, the malware infected several thousand machines, given that 2847 unique p2p nodes were observed announcing themselves with the identifier used by the malware during a ten-hour period. However, this number does not reflect the actual number of bots, but suggests that the botnet is evolving. 

“This is the first malware found in the wild that is using IPFS’ p2p network for its C&C communication. By using a legitimate p2p network, the malware can hide its network traffic among legitimate p2p network traffic. This method also provides some protection against takedowns, since sinkholing the p2p network potentially could take down the whole IPFS network,” Anomali concludes. 

Related: P2P Flaws Expose Millions of IoT Devices to Remote Attacks

Related: Hide ‘N Seek IoT Botnet Can Infect Database Servers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Jazz has named Sean Robinson, Rickie Goyal, Danielle Guetta, Shani Nago, and Lior Magram as VPs and Michael Calev as COO.

AJ Shipley has been appointed Chief Product Officer at CrowdStrike.

Brinqa has named Ron Dovich as Chief AI and Automation Officer, David Allen as CTO, Steve Biagioni as CFO, and James Walta as VP of Product.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.