IPStorm botnet attacks Android, macOS and Linux devices

Thursday, October 1, 2020 – 10:33 ksa

Anomali first discovered the IPStorm botnet in June 2019, and then only targeted Windows computers. At that time, only 3,000 infected computers were included in the botnet, but even then, the researchers found some special and fascinating features special to IPStorm. The full name of the malware, InterPlanetary Hurricane, for example, derives from the InterPlanetary File System (IPFS), a P2P protocol used by malware to connect with and send commands to compromised computers.

Furthermore, IPStorm proved to be written in the Go language, and while no one in this language is fooled by malware, this was not so popular in 2019, which made IPStorm a very exotic and fascinating piece of malware.

Interestingly, the 2019 Anomali study did not specify how the malware is circulating. Some researchers hoped at that time that IPStorm would turn out to be someone’s IPFS project and not receive complete production. These dreams, unfortunately, were not meant to come true.

In recent studies released by Bitdefender and Barracuda experts, it is said that new versions of IPStorm have been found that can exploit devices running Ios, macOS , and Linux. Experts have worked out how to disperse the botnet, refuting the idea that it was merely an experiment by someone. Worse still, the number of computers infected has now risen to 13,500 hosts.

According to researchers, by searching the Internet for devices with an open ADB (Android Debug Bridge) port, the botnet targets and infects Android devices. By dictionary attacks on SSH, in essence, computers running Linux and macOS are hacked, that is, attackers literally brute force a username and password.

The malware scans for honeypot applications, connects itself to the system after IPStorm infiltrates computers, and then removes a variety of processes that might pose a threat to its operation.

While the botnet has been operational for over a year, researchers have still not found out what the IPStorm operators’ ultimate objective is. The irony is that on all compromised computers, IPStorm mounts a reverse kernel, but then leaves the systems alone. This backdoor can, in principle, be exploited in many ways, although it is not used at all by IPStorm operators so far, while they may mount miners on infected computers, use them as proxies, coordinate DDoS attacks, or simply sell access to infected systems.