New IPStorm variant targets IoT devices

6 November 2020
| No comments
IoT Internet of Things

Share post

New InterPlanetary Storm malware variant targets IoT devices. The infected devices open back doors for cryptomining, DDoS and other large-scale attacks.

The cybercriminal organization behind the InterPlanetary Storm malware has released a new variant that, in addition to Windows and Linux computers, now also targets Mac and Android devices. The malware is building a botnet that currently includes around 13.500 infected computers in 84 different countries around the world, and that number continues to grow.

After Windows and Linux now IoT devices

The first variant of InterPlanetary Storm, which targeted Windows machines, was revealed in May 2019, and in June of this year a variant was reported that is capable of attacking Linux machines. The new variant, which Barracuda researchers discovered for the first time at the end of August, targets IoT devices such as televisions that run on Android operating systems, as well as Linux-based machines such as routers with poorly configured SSH service. The botnet that this malware sets up does not yet have any clear functionality, but offers the campaign operators a back door into the infected devices so that they can later be misused for cryptomining, DDoS or other large-scale attacks.

The majority of the computers infected by the malware are currently located in Asia.

IPStorm infected machines 10/20

• 59% of infected computers are in Hong Kong, South Korea, and Taiwan.
• 8% in Russia and Ukraine
• 6% in Brazil
• 5% in the United States and Canada
• 3% in Sweden
• 3% in China
• All other countries register 1% or less (Germany currently 0,5%)

How the new InterPlanetary Storm malware works

The new variant of the InterPlanetary Storm malware gains access to computers by carrying out a dictionary attack on SSH servers, similar to FritzFrog, another peer-to-peer (P2P) malware. It can also gain access by accessing open ADB servers (Android Debug Bridge). The malware detects the CPU architecture and operating system of its victims, and it can run on ARM-based machines, an architecture that routers and other IoT devices use quite often. The malware is known as InterPlanetary Storm because it uses the InterPlanetary File System (IPFS) p2p network and the underlying libp2p implementation. This allows infected nodes to communicate with one another directly or via other nodes (e.g. relays).

Special properties of the new variant

This variant of InterPlanetary Storm is written in Go, uses the Go implementation of libp2p and is packed with UPX. It spreads using SSH brute force and open ADB ports, and exposes malware files to other nodes on the network. The malware also enables reverse shell and can run bash shell. The new variant has several unique features designed to help ensure that malware remains persistent and protected after it has infected a computer:

  • It recognizes honeypots. The malware looks for the string "svr04" in the standard shell prompt (PS1), which was previously used by the Cowrie honeypot.
  • It updates itself automatically. The malware compares the version of the running instance with the latest available version and updates itself accordingly.
  • It tries to stay persistent by installing a service (system / systemv) using a Go Daemon Package.
  • It stops other processes on the computer that pose a threat to the malware, such as debuggers and competing malware.

Measures to protect against new InterPlanetary Storm variant

  • Properly configured SSH access on all devices: This means that keys are used instead of passwords, which makes access more secure. If the password login is activated and the service itself is accessible, the malware can exploit the poorly configured attack surface. This is a problem for many routers and IoT devices, making them easy targets for this malware.
  • Using a Cloud Security Posture Management Tool to monitor SSH access control to avoid any configuration errors that could have serious consequences. If necessary, secure access to shells should be provided; Instead of exposing the resource on the Internet to threats, an MFA-enabled VPN connection should be provided and the networks segmented for the specific requirements, instead of granting access to wide IP networks.

 

More on this on the blog at Barracuda.com

 

[starboxid=5]

 

Matching articles on the topic

Report: 40 percent more phishing worldwide

The current spam and phishing report from Kaspersky for 2023 speaks for itself: users in Germany are after ➡ Read more

Cybersecurity platform with protection for 5G environments

Cybersecurity specialist Trend Micro unveils its platform-based approach to protecting organizations' ever-expanding attack surface, including securing ➡ Read more

Data manipulation, the underestimated danger

Every year, World Backup Day on March 31st serves as a reminder of the importance of up-to-date and easily accessible backups ➡ Read more

Printers as a security risk

Corporate printer fleets are increasingly becoming a blind spot and pose enormous problems for their efficiency and security. ➡ Read more

Stealth malware targets European companies

Hackers are attacking many companies across Europe with stealth malware. ESET researchers have reported a dramatic increase in so-called AceCryptor attacks via ➡ Read more

The AI ​​Act and its consequences for data protection

With the AI ​​Act, the first law for AI has been approved and gives manufacturers of AI applications between six months and ➡ Read more

Windows operating systems: Almost two million computers at risk

There are no longer any updates for the Windows 7 and 8 operating systems. This means open security gaps and therefore worthwhile and ➡ Read more

Test: Security software for endpoints and individual PCs

The latest test results from the AV-TEST laboratory show very good performance of 16 established protection solutions for Windows ➡ Read more

PR News
, , , , ,