The IPStorm botnet was first uncovered in May 2019 while targeting Windows systems, not experts from Intezer reported that the bot evolved to infect other platforms, including Android, Linux, and Mac devices.
IPStorm botnet continues to infect systems across the world, its size passed from around 3,000 infected systems in May 2019 to more than 13,500 devices this month.
The name IPStorm is the abbreviation of InterPlanetary Storm that came from the InterPlanetary File System (IPFS), which is a peer-to-peer protocol used by the bot for communications with the intent to obscure the malicious traffic.
The bot was written in the Go programming language, it was initially designed to compromise Windows systems only. In June security firms Bitdefender and Barracuda discovered new IPStorm versions that are able to target also Android, Linux, and Mac.
The experts from both security firms reported that IPStorm was infecting Android systems with ADB (Android Debug Bridge) port exposed online.
The bot was also targeting Linux and Mac devices performs dictionary attacks against SSH services to guess their username and passwords.
Once a connection is established, the malware will check the presence of a honeypot by comparing the hostname of the attacked server to the string “svr04”, which is the default hostname of Cowrie SSH honeypot.
“The Linux variant has additional features over the documented Windows version, such as using SSH brute-force as a means to spread to additional victims and fraudulent network activity abusing Steam gaming and advertising platforms.” reads the Intezer’s report. “The Linux variant has adjusted some features in order to account for the fundamental differences that exist between this operating system and Windows.”
The IPStorm bot also kills a list of processes that could potentially interfere with its operations.
Experts noticed that IPStorm versions for both Linux and Windows systems implement a reverse shell mechanism.
“The Windows variant has a package called powershell which contains functions for achieving reverse shell. The same package is present in the Linux variant but it contains only one function: storm_powershell__ptr_Backend_StartProcess. The function is used to get a reverse shell on the infected system.” continues the analysis.
Curiously, until now, the researchers have not seen the IPStorm operators doing malicious activities, such as performing DDoS attacks or relaying malicious traffic.
“Platforms that are compromised by IPStorm are not only exposed to a backdoor to their services but are also added to the IPStorm Botnet which attempts to spread to other victims.” concludes Intezer. “The attackers behind IPStorm are very active evidenced by the frequent release of updated versions with new features and improvements, as well as the expansion to several different platforms and architectures.”
(SecurityAffairs – IPStorm)