#1263327: The InterPlanetary Storm: New Malware in Wild Using InterPlanetary File System’s (IPFS) p2p network

Description: In May 2019, a new malware was found in the wild that uses a peer-to-peer (p2p) network on top of InterPlanetary File System’s (IPFS) p2p network. The malware found in the wild targets Windows machines and allows the threat actor to execute any arbitrary PowerShell code on the infected machines. The use of a legitimate p2p network can make it difficult to discover the malicious traffic as it potentially is blended in with legitimate traffic to the legitimate p2p network. It can also make it harder to sinkhole the botnet since there is a risk the legitimate p2p network is also taken down with it.

When a threat actor wants to commandeer a machine, a Command and Control (C2) communication channel needs to be established. With this communication channel, the threat actor can send commands to the infected machines and the response can be sent back from the infected machines to the actor. In general, there are two types of schemes that can be used. The first type is a p2p model, and the second type is a server-client model.
Server-Client Model

In a server-client model, the infected machines connect to a set of C2 servers that provides the infected machines with instructions and handles the responses sent back. A threat actor may use these C2 servers directly to control the infected machines by having the administrator panel hosted on these servers. Another option is that the threat actor uses a second layer of C2 servers. These servers never talk directly to the infected machines. Instead, the commands are sent from the second layer to the first, which relays the commands and the responses between infected machines and the second row of C2 servers, acting more like a proxy. This has the potential of protecting the second layer from being detected and possibly taken over by the authorities. Using two layers of C2 servers may also increase stealth. The threat actor can, for example, use a non-malicious website to proxy or relay the communication.

In recent years, threat actors have started using legitimate web services for C2 communications. For example, Twitter, Github, and Instagram are legitimate services that have been misused by threat actors.[1] The use of legitimate services have multiple advantages to the threat actor. By default, all of these services are using encrypted communication via TLS. This means the threat actors do not need to configure and maintain certificates because it is all done for them. Another benefit is that these services are common on home and corporate networks. The malware talks to the same servers as normal web browsers visiting the websites, essentially allowing the malicious traffic to blend in with the legitimate communications. While this method allows malware traffic to hide better, it is easier for authorities to take down. One way of making takedowns harder is to use a p2p model instead of a server-client model.
P2P Model

In a p2p model, the infected machines are not necessarily communicating directly with servers controlled by the threat actor. Instead, the machines are connected directly to each other via a p2p network, commonly called a p2p botnet. All the threat actor has to do is send a single command to one infected machine and that command will automatically propagate to all other infected machines. A p2p model is generally more difficult for a threat actor to implement because there are different problems that need to be solved than when using the server-client model. The first problem is bootstrapping. How does the newly infected machine find other infected machines to connect to? One method is to include a list of known peers in the malware that it can connect to. On the defender side, a known bootstrapping list can be used for both detection and prevention; blocking access to the machines on the list at the perimeter. The other problem the threat actor needs to solve is Network Address Translation (NAT) traversal for machines not directly connected to the internet.[2] A p2p network works by having the peers connected to each other. If a machine is not directly connected to the internet but instead is connected via a NAT router, it cannot be reached by a machine on the internet. This is because the NAT router will only let through communication that is initiated from behind the NAT. This means if the p2p network has all nodes behind NAT, none of the nodes would be able to connect to each other.

When comparing to the server-client model, p2p botnets do not have the opportunity to hide their traffic amongst legitimate traffic. Up until recently, p2p communication on a corporate network could be taken as suspicious activity. In present day, more and more legitimate services are utilizing p2p technology that is slowly creeping into the enterprise space. For example, Microsoft Windows 10 has a feature called “Delivery Optimization” that delivers updates to machines via a p2p network established by machines connected to the same Active Directory domain.[3] Similar to misusing web services to hide malicious traffic, threat actors misuse legitimate p2p network to hide their traffic. In addition to blending with the normal traffic, the botnet is intertwined with the legitimate nodes in such a way making it impossible to take down the malicious botnet without taking down the legitimate p2p network. In May 2019, a new botnet was discovered that utilizes the IPFS p2p network.

IPFS is a project that aims to improve today’s internet by making it more decentralized.[4] The project is designed to be a distributed p2p filesystem, and the filesystem can be used to host any kind of files, including static web pages that can be viewed with a web browser. The files hosted on IPFS can be accessed by using a client or via public gateways. For example, Cloudflare runs a public IPFS gateway.[5] The network code for IPFS is released as an open source project called “libp2p”, which is a modular network stack that allows anyone to take advantage of the network code used by IPFS (7). The library’s support includes bootstrapping, NAT-traversal, relays, peer discovery, pubsub functionality. It can be used to construct an independent p2p network by providing bootstrapping nodes.The library also includes IPFS’s bootstrapping nodes that can be used to layer the new p2p network on top of IPFS’s p2p network. A functionality that can be appealing to threat actors.

The malware discovered in May 2019 by Anomali Threat Research, does use libp2p to layer its p2p network on top of IPFS’s. The malware has been named IPStorm (InterPlanetary Storm) from its use of IPFS’s p2p network and the project name used by the threat actor.
Technical breakdown

IPStorm is a malware written in Go (Golang). The samples found in the wild have been targeting the Windows operating system. The analyzed binaries include the path “/Users/brokleg/go/src/storm/” which suggests it has been developed on a macOS machine and the malware author has named the project “storm”, possibly after 2007’s worm named Storm that used a p2p network for C2 communication. The malware is a large, with the unpacked binary being around 15 MB in size. The code is split up into multiple Go packages. The packages are listed below:


The malware has some simple antivirus (AV) evasion techniques. It uses sleeps, memory allocations and generation of random numbers. The “allocateMemory” function is very simple. The core function body is shown in Figure 1. It allocates 100 byte arrays with a size of 3 MB each.

memoryAllocation function
Figure 1: Showing memoryAllocation function. The function creates 100 (0x64) byte arrays with space for 3 MB (0x2dc6c0).

Instead of using Mutexes or window names to ensure singe execution, IPStorm uses the third-party package “single” (github.com/marcsauter/single). Single uses lock files to ensure only one instance is running. The “single” name used by the malware is “n3R1PYfY”, the lock file is placed in the %TMP% folder (%TMP%\n3R1PYfY.lock). When the malware is sure only one instance is running, it performs an enumeration of the infected machine. It uses the third-party package goInfo (github.com/matishsiao/goInfo) and PowerShell commands to collect most of the information. The collected user information is published to the p2p network is shown in the struct below:

type node.NodeInfo struct {
HostID string
Version string
Platform string
SystemInfo goInfo.GoInfoObject
Uid string
Gid string
UserName string
UserDisplayName string
UserHomeDir string
IsAdmin bool
ExecutablePath string
ComputerID string

To ensure the malware can connect to the p2p network, it adds a rule to the firewall. For the networking part, the malware uses “libp2p”. The underlying protocol used by the library is “protobuf”. The malware uses the PubSub functionality provided by the project. It uses two topics: “info” and “cmd”. To find other peers, it uses libp2p’s support for distributed hash tables (DHT). The new bot uses a hardcoded string to advertise its presence and to find other peers.

The malware has support for downloading and uploading files. It is performed by sending the content over the PubSub network. Each bot in the network serve its executable file and the threat actor uses this method to distribute newer versions of the bot. It also has a “reverse shell” (called “backshell” by the author) functionality. With this functionality, the threat actor can execute any arbitrary PowerShell code on the infected machine. The malware installs itself under the following location:

Read the rest in this link
First Aid: IOCs


Mitre ATT&CK

More info: https://www.anomali.com/blog/the-interplanetary-storm-new-malware-in-wild-using-interplanetary-file-systems-ipfs-p2p-network

Date added June 12, 2019, 7:03 p.m.
Source Anomali
  • All New Malware or Attack Alerts - New Reports / IOCs in
  • General Malware - New Reports in
  • . NEW Hack and Attack Methods