Por primera vez, Anomali specialists noticed the IPStorm in June 2019, and then it attacked only Windows machines. Now it began to attack devices on Android, macOS y Linux.
Previamente, the botnet included about 3,000 infected systems, but even then the researchers discovered several strange and interesting features that were unique to IPStorm.
Por ejemplo, the full name of the malware – InterPlanetary Storm – comes from the InterPlanetary File System (IPFS), a P2P protocol that malware used to communicate with infected systems and transmit commands.
"Además, IPStorm was written in the Go language, and although no one is surprised with malware in this language, en 2019 this was not so widespread, which made IPStorm a rather exotic and interesting piece of malware”, — told Anomali researchers.
Curiosamente, Anomali’s 2019 report did not explain how the malware spreads. En ese tiempo, some researchers hoped that IPStorm would turn out to be someone’s experiment with IPFS and would not receive full development.
Desgraciadamente, these hopes could not come true.
In recent reports published by experts Bitdefender y Barracuda, it is said have been discovered the new versions of IPStorm that can infect devices running Android, macOS y Linux. Experts also figured out how the botnet was spreading, refuting the theory that it was just someone’s experiment. Peor aún, the number of infected machines has already increased to 13,500 Hospedadores.
“The botnet attacks and infects Android devices by scanning the Internet for devices with an open ADB (Puente de depuración de Android) puerto. Sucesivamente, devices running Linux and macOS are compromised through dictionary attacks on SSH, eso es, attackers simply brute force a username and password», – inform the researchers.
After IPStorm infiltrates devices, the malware checks for honeypot software, attaches itself to the system, and then eliminates a number of processes that could pose a threat to its operation.
Although the botnet has been active for over a year, researchers still have not figured out what is the ultimate goal of IPStorm operators. The fact is that IPStorm installs a reverse shell on all infected devices, but then leaves the systems alone.
En teoria, this backdoor can be used in many ways, but so far IPStorm operators do not use it at all, although they could install miners on infected devices, use them as proxies, organize DDoS attacks, or simply sell access to infected systems.
I love botnets and I am happy to talk about them, for example about the Prometheus botnet o el Botnet de propaganda de Drácula, but the coolest is still the Cereals botnet, which for eight years is existed for only one purpose: descargo anime.