A new variant of the InterPlanetary Storm malware has been discovered, which comes with fresh detection-evasion tactics and now targets Mac and Android devices (in addition to Windows and Linux, which were targeted by previous variants of the malware).
Researchers say, the malware is building a botnet with a current estimated 13,500 infected machines across 84 countries worldwide – and that number continues to grow. Half of the infected machines are in Hong Kong, South Korea and Taiwan. Other infected systems are in Russia, Brazil, the U.S., Sweden and China.
“While the botnet that this malware is building does not have clear functionality yet, it gives the campaign operators a backdoor into the infected devices so they can later be used for cryptomining, DDoS, or other large-scale attacks,” said researchers with Barracuda in a Thursday analysis.
The botnet, which is written in Go, uses the Go implementation of libp2p, which is a network framework that allows users to write decentralized peer-to-peer (P2P) applications. This framework was originally the networking protocol of InterPlanetary File System (IPFS), on which researchers based the malware’s name.
“The malware is called InterPlanetary Storm because it uses the InterPlanetary File System (IPFS) p2p network and its underlying libp2p implementation,” said researchers. “This allows infected nodes to communicate with each other directly or through other nodes (i.e. relays).”
The malware spreads via brute force attacks on devices with Secure Shell (SSH), a cryptographic network protocol for operating network services securely over an unsecured network. Researchers noted this is similar to FritzFrog, another P2P malware. Another method of infection is by accessing open Apple Desktop Bus (ADB) ports, which connect low-speed devices to computers.
“The malware detects the CPU architecture and running OS of its victims, and it can run on ARM-based machines, an architecture that is quite common with routers and other IoT devices,” said researchers.
The newest variant of the malware has various big changes, most notably extending its targeting to include Mac and Android devices. However, the new variant can also auto-update to the latest available malware version and kill other processes on the machine that present a threat, like debuggers or competing malware (by looking at strings such as “rig,” “xig” and “debug”).
And, it now can detect honeypots by looking for the string “svr04” in the default shell prompt, for instance.
Once infected, devices communicate with the command-and-control (C2) server to inform that they are part of the botnet. Researchers said, the IDs of each infected machine are generated during initial infection and will be reused if the machine restarts or the malware updates. Once downloaded, it also serves malware files to other nodes in the network. The malware also enables reverse shell and can run bash shell, said researchers.
Source- Threat Post
Post comments (0)