Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New Malware Lays P2P Network on Top of IPFS’

A newly discovered piece of malware uses a peer-to-peer (p2p) network on top of InterPlanetary File System’s (IPFS) p2p network, Anomali’s security researchers report. 

A newly discovered piece of malware uses a peer-to-peer (p2p) network on top of InterPlanetary File System’s (IPFS) p2p network, Anomali’s security researchers report. 

Discovered in May 2019 and dubbed IPStorm, the malware is written in the Go (Golang) programming language and targets Windows machines. Once it has infected a system, the malicious program allows its operator to execute arbitrary PowerShell code. 

The use of a p2p network for communication ensures not only that the generated traffic blends into the legitimate traffic, but also that the infected machines don’t need to maintain a constant connection to the command and control (C&C) server. 

Being connected directly to each other via a p2p network, the machines form a p2p botnet, where commands propagate from one bot to another. A p2p botnet is more difficult to implement, as the attacker needs to ensure bots can communicate with each other at all times, even when behind a NAT, but are more difficult to detect, especially with the increased use of p2p in corporate environments. 

The newly discovered botnet leverages IPFS, a p2p filesystem project that aims to decentralize the Internet to improve it. The filesystem can be used to host a broad range of files that can be accessed via a client or public gateways. 

IPFS’ network code has been released in open source as “libp2p,” a modular network stack that includes support for bootstrapping, NAT-traversal, relays, peer discovery, and pubsub functionality. The library can be used to build a p2p network by providing bootstrapping nodes and also includes IPFS’ bootstrapping nodes, which can be used to layer the new p2p network on top of IPFS’. 

This is exactly what the IPStorm (InterPlanetary Storm) malware does, making it difficult to determine which machines are infected and which are legitimate IPFS peers, Anomali reveals. Written in Go, it appears to have been developed on a macOS machine, is large, with the unpacked binary at around 15 MB in size, but is split into multiple packages. 

The threat also includes simple antivirus (AV) evasion techniques, such as sleeps, memory allocations, and generation of random numbers. The malware uses third-party package “single” to ensure only one instance is running. It also adds a rule to the firewall, to make sure it can connect to the p2p network. 

Advertisement. Scroll to continue reading.

The malware supports the download and upload of files, which are sent over the PubSub network. Reverse shell (called “backshell” by the author) functionality is also included, allowing the actor to execute any arbitrary PowerShell code on the infected machine. 

Based on the analyzed tree structure, Anomali suggests that the malware can either be compiled for other operating systems than Windows, or that the actor is in the process of building versions for other operating systems. 

To date, the malware infected several thousand machines, given that 2847 unique p2p nodes were observed announcing themselves with the identifier used by the malware during a ten-hour period. However, this number does not reflect the actual number of bots, but suggests that the botnet is evolving. 

“This is the first malware found in the wild that is using IPFS’ p2p network for its C&C communication. By using a legitimate p2p network, the malware can hide its network traffic among legitimate p2p network traffic. This method also provides some protection against takedowns, since sinkholing the p2p network potentially could take down the whole IPFS network,” Anomali concludes. 

Related: P2P Flaws Expose Millions of IoT Devices to Remote Attacks

Related: Hide ‘N Seek IoT Botnet Can Infect Database Servers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.