IPStorm botnet expands from Windows to Android, Mac, and Linux

IPStorm botnet quadruples in size to reach 13,500 infected systems.
Written by Catalin Cimpanu, Contributor
Image: Clinton Naik

IPStorm, a malware botnet that was first spotted last year targeting Windows systems, has evolved to infect other types of platforms, such as Android, Linux, and Mac devices.

Furthermore, the botnet has also quadrupled in size, growing from around 3,000 infected systems in May 2019 to more than 13,500 devices this month.

These latest developments put IPStorm in the class of today's most dangerous botnets, a classification the malware deserves due to its sustained development across the past year, expansion to multiple platforms, and for the advanced and unique features it possesses.

IPStorm — a short history

Spotted in May 2019 and first described in an Anomali report in June 2019, IPStorm began operating by targeting Windows systems only.

At the time of its discovery, security researchers spotted several unique features specific to IPStorm alone. For example, the malware's full name of InterPlanetary Storm came from the InterPlanetary File System (IPFS), a peer-to-peer protocol that the malware was using to communicate with infected systems and relay commands.

Second, the malware was also written in the Go programming language. While Go malware has become common today, it was not so common in 2019, making IPStorm one of the few malware strains of its kind.

But the Anomali 2019 report never explained how the malware spread to infect Windows systems. At the time, some security researchers hoped that IPStorm would end up being an experiment that some bored programmer had taken up to play around with IPFS networks, and would eventually abandon it at some point in the future.

But it was not to be. In reports from Bitdefender in June 2020 and from Barracuda earlier today, the two security firms say they've spotted new IPStorm versions that are capable of infecting devices running other platforms beyond Windows, such as Android, Linux, and Mac.

And this time, there's also info on how the botnet spreads, effectively striking down the idea that this was just an experiment and confirming that a well-organized attack infrastructure is currently keeping the botnet alive.

According to Bitdefender and Barracuda, IPStorm targets and infects Android systems by scanning the internet for devices that had left their ADB (Android Debug Bridge) port exposed online.

On the other hand, Linux and Mac devices are infected after the IPStorm gang performs dictionary attacks against SSH services to guess their username and passwords.

After IPStorm gains an initial foothold on these systems, the malware usually checks for the presence of honeypot software, gains boot persistence on the device, and then kills a list of processes that may pose a threat to its operations.

IPStorm's end goal remains unknown

Nonetheless, despite being active for more than a year, security researchers have yet to figure out one last thing about IPStorm — namely, its end goal.

Security researchers say that IPStorm drops a reverse shell on all infected devices but then leaves these systems alone.

While this backdoor mechanism could be abused in an unlimited number of ways, until now, security researchers have not seen the IPStorm operators doing anything nefarious, such as installing crypto-mining apps, performing DDoS attacks, relaying malicious traffic as part of a proxy network, or sell access to infected systems.

This remains a mystery that security researchers are still chasing to crack, but it's most likely not going to have a positive outcome for all the infected systems and their owners.

UPDATE: Nut cracked! Hours after this article went live, Intezer published its own report on IPStorm operations and linked the botnet to advertising and Steam gaming fraud.

Linux survival guide: These 21 applications let you move easily between Linux and Windows

Editorial standards