This unusual Windows malware is controlled via a P2P network

Researchers have detailed the newly uncovered malware, but it's still uncertain what the goal of the botnet campaign is.
Written by Danny Palmer, Senior Writer

A new malware campaign aimed at Windows machines features a novel technique to control the resulting botnet, with the group behind it hiding their communications using a P2P network.

Dubbed IPStorm – short for InterPlanetary Storm – by its cyber-criminal operators, the campaign was discovered in May. It's possible that the author has taken inspiration for the name from Storm – a P2P worm campaign that became notorious after it first emerged in 2007. It's not known who the author of IPStorm is or where they are operating from, but the malware has a 'reverse shell' functionality that can allow hackers to execute any arbitrary PowerShell code on the infected machine.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

What's interesting about the malware, according to researchers at cybersecurity firm Anomali, is that it is the first malware found in the wild that is using IPFS' p2p network for its command and control communication. By using a legitimate p2p network, the malware can hide its network traffic among legitimate p2p network traffic. 

The IPFS is an open source P2P file-sharing network that aims to act as a means of sharing and storing files, with users downloading and hosting content in a decentralised system. Examples of its application include being used to host a version of Wikipedia that can be accessed in countries where access to it is blocked.

Written in the Go programming language, it's still uncertain how IPStorm begins its initial infections, but the size of the malware package means the code is split into multiple parts. This indicates that the attackers are well-versed in software development because this makes the malware simpler to manage and update.

"By breaking functionality out into different Go packages, the codebase is easier to maintain. Also, the threat actor can break out things into modules to make it easier to swap out or reuse functionality," Joakim Kennedy, threat intelligence manager at the Anomali Threat Research Team told ZDNet.

IPStorm also comes build with several antivirus-evasion techniques, such as sleeping and memory allocations to remain undetected after it has found its way onto a Windows system and installed itself inside a folder from a pre-determined list, with most of the fake folders relating to Microsoft or Adobe systems. The idea is that even if a user sees the folder, they won't think much of it.

The executable is stored within this folder and also takes a name randomly selected name from a pre-determined list. The attackers appear to be making an effort to ensure that IPStorm is difficult to discover on infected machines.

Currently, the ultimate goal of this campaign still remains unknown – but it could be used for all manner of malicious activity.

"Botnets are usually used for DDoS, serving backing trojans, or building proxy networks. The bot allows the threat actor to execute any PowerShell code of their choosing. The botnet is constantly being updated, so new features can be added at any time," said Kennedy.

In the analysis of the malware, researchers note that while IPStorm is only targeting Windows systems for now, metadata in the malware samples suggests the attackers are potentially in the process of compiling it to infect other operating systems.

SEE: 10 tips for new cybersecurity pros (free PDF)

Anomali estimates that as of June 2019, the botnet is made up of just under 3,000 machines – although its relatively small size is likely down to how IPStorm is still only in the early stages of its evolution.

However, at the time of of the Interplanetary Storm research being published, researchers say that only half of the engines on VirusTotal flag it as something malicious – meaning that at this time it could spread relatively undetected if the botnet expands. Kennedy told ZDNet there's a simple way to avoid falling victim to this campaign.

"If IPFS is not used by anything on your network, the bootstrapping IPs can be blocked to prevent potential bots from connecting to the botnet," he said.

Anomali has posted the Indicators of Compromise for IPStorm in their analysis of the malware.


Editorial standards