New Malware Lays P2P Network on Top of IPFS
A newly discovered piece of malware uses a peer-to-peer (p2p) network on top of InterPlanetary File System’s (IPFS) p2p network, Anomali’s security researchers report.
Discovered in May 2019 and dubbed IPStorm, the malware is written in the Go (Golang) programming language and targets Windows machines. Once it has infected a system, the malicious program allows its operator to execute arbitrary PowerShell code.
The use of a p2p network for communication ensures not only that the generated traffic blends into the legitimate traffic, but also that the infected machines don’t need to maintain a constant connection to the command and control (C&C) server.
Being connected directly to each other via a p2p network, the machines form a p2p botnet, where commands propagate from one bot to another. A p2p botnet is more difficult to implement, as the attacker needs to ensure bots can communicate with each other at all times, even when behind a NAT, but are more difficult to detect, especially with the increased use of p2p in corporate environments.
The newly discovered botnet leverages IPFS, a p2p filesystem project that aims to decentralize the Internet to improve it. The filesystem can be used to host a broad range of files that can be accessed via a client or public gateways.
IPFS’ network code has been released in open source as “libp2p,” a modular network stack that includes support for bootstrapping, NAT-traversal, relays, peer discovery, and pubsub functionality. The library can be used to build a p2p network by providing bootstrapping nodes and also includes IPFS’ bootstrapping nodes, which can be used to layer the new p2p network on top of IPFS’.
This is exactly what the IPStorm (InterPlanetary Storm) malware does, making it difficult to determine which machines are infected and which are legitimate IPFS peers, Anomali reveals. Written in Go, it appears to have been developed on a macOS machine, is large, with the unpacked binary at around 15 MB in size, but is split into multiple packages.
The threat also includes simple antivirus (AV) evasion techniques, such as sleeps, memory allocations, and generation of random numbers. The malware uses third-party package “single” to ensure only one instance is running. It also adds a rule to the firewall, to make sure it can connect to the p2p network.
The malware supports the download and upload of files, which are sent over the PubSub network. Reverse shell (called “backshell” by the author) functionality is also included, allowing the actor to execute any arbitrary PowerShell code on the infected machine.
Based on the analyzed tree structure, Anomali suggests that the malware can either be compiled for other operating systems than Windows, or that the actor is in the process of building versions for other operating systems.
To date, the malware infected several thousand machines, given that 2847 unique p2p nodes were observed announcing themselves with the identifier used by the malware during a ten-hour period. However, this number does not reflect the actual number of bots, but suggests that the botnet is evolving.
“This is the first malware found in the wild that is using IPFS’ p2p network for its C&C communication. By using a legitimate p2p network, the malware can hide its network traffic among legitimate p2p network traffic. This method also provides some protection against takedowns, since sinkholing the p2p network potentially could take down the whole IPFS network,” Anomali concludes.