#1263327: The InterPlanetary Storm: New Malware in Wild Using InterPlanetary File System’s (IPFS) p2p network

Description: In May 2019, a new malware was found in the wild that uses a peer-to-peer (p2p) network on top of InterPlanetary File System’s (IPFS) p2p network. The malware found in the wild targets Windows machines and allows the threat actor to execute any arbitrary PowerShell code on the infected machines. The use of a legitimate p2p network can make it difficult to discover the malicious traffic as it potentially is blended in with legitimate traffic to the legitimate p2p network. It can also make it harder to sinkhole the botnet since there is a risk the legitimate p2p network is also taken down with it.
Introduction

When a threat actor wants to commandeer a machine, a Command and Control (C2) communication channel needs to be established. With this communication channel, the threat actor can send commands to the infected machines and the response can be sent back from the infected machines to the actor. In general, there are two types of schemes that can be used. The first type is a p2p model, and the second type is a server-client model.
Server-Client Model

In a server-client model, the infected machines connect to a set of C2 servers that provides the infected machines with instructions and handles the responses sent back. A threat actor may use these C2 servers directly to control the infected machines by having the administrator panel hosted on these servers. Another option is that the threat actor uses a second layer of C2 servers. These servers never talk directly to the infected machines. Instead, the commands are sent from the second layer to the first, which relays the commands and the responses between infected machines and the second row of C2 servers, acting more like a proxy. This has the potential of protecting the second layer from being detected and possibly taken over by the authorities. Using two layers of C2 servers may also increase stealth. The threat actor can, for example, use a non-malicious website to proxy or relay the communication.

In recent years, threat actors have started using legitimate web services for C2 communications. For example, Twitter, Github, and Instagram are legitimate services that have been misused by threat actors.[1] The use of legitimate services have multiple advantages to the threat actor. By default, all of these services are using encrypted communication via TLS. This means the threat actors do not need to configure and maintain certificates because it is all done for them. Another benefit is that these services are common on home and corporate networks. The malware talks to the same servers as normal web browsers visiting the websites, essentially allowing the malicious traffic to blend in with the legitimate communications. While this method allows malware traffic to hide better, it is easier for authorities to take down. One way of making takedowns harder is to use a p2p model instead of a server-client model.
P2P Model

In a p2p model, the infected machines are not necessarily communicating directly with servers controlled by the threat actor. Instead, the machines are connected directly to each other via a p2p network, commonly called a p2p botnet. All the threat actor has to do is send a single command to one infected machine and that command will automatically propagate to all other infected machines. A p2p model is generally more difficult for a threat actor to implement because there are different problems that need to be solved than when using the server-client model. The first problem is bootstrapping. How does the newly infected machine find other infected machines to connect to? One method is to include a list of known peers in the malware that it can connect to. On the defender side, a known bootstrapping list can be used for both detection and prevention; blocking access to the machines on the list at the perimeter. The other problem the threat actor needs to solve is Network Address Translation (NAT) traversal for machines not directly connected to the internet.[2] A p2p network works by having the peers connected to each other. If a machine is not directly connected to the internet but instead is connected via a NAT router, it cannot be reached by a machine on the internet. This is because the NAT router will only let through communication that is initiated from behind the NAT. This means if the p2p network has all nodes behind NAT, none of the nodes would be able to connect to each other.

When comparing to the server-client model, p2p botnets do not have the opportunity to hide their traffic amongst legitimate traffic. Up until recently, p2p communication on a corporate network could be taken as suspicious activity. In present day, more and more legitimate services are utilizing p2p technology that is slowly creeping into the enterprise space. For example, Microsoft Windows 10 has a feature called “Delivery Optimization” that delivers updates to machines via a p2p network established by machines connected to the same Active Directory domain.[3] Similar to misusing web services to hide malicious traffic, threat actors misuse legitimate p2p network to hide their traffic. In addition to blending with the normal traffic, the botnet is intertwined with the legitimate nodes in such a way making it impossible to take down the malicious botnet without taking down the legitimate p2p network. In May 2019, a new botnet was discovered that utilizes the IPFS p2p network.

IPFS is a project that aims to improve today’s internet by making it more decentralized.[4] The project is designed to be a distributed p2p filesystem, and the filesystem can be used to host any kind of files, including static web pages that can be viewed with a web browser. The files hosted on IPFS can be accessed by using a client or via public gateways. For example, Cloudflare runs a public IPFS gateway.[5] The network code for IPFS is released as an open source project called “libp2p”, which is a modular network stack that allows anyone to take advantage of the network code used by IPFS (7). The library’s support includes bootstrapping, NAT-traversal, relays, peer discovery, pubsub functionality. It can be used to construct an independent p2p network by providing bootstrapping nodes.The library also includes IPFS’s bootstrapping nodes that can be used to layer the new p2p network on top of IPFS’s p2p network. A functionality that can be appealing to threat actors.

The malware discovered in May 2019 by Anomali Threat Research, does use libp2p to layer its p2p network on top of IPFS’s. The malware has been named IPStorm (InterPlanetary Storm) from its use of IPFS’s p2p network and the project name used by the threat actor.
Technical breakdown

IPStorm is a malware written in Go (Golang). The samples found in the wild have been targeting the Windows operating system. The analyzed binaries include the path “/Users/brokleg/go/src/storm/” which suggests it has been developed on a macOS machine and the malware author has named the project “storm”, possibly after 2007’s worm named Storm that used a p2p network for C2 communication. The malware is a large, with the unpacked binary being around 15 MB in size. The code is split up into multiple Go packages. The packages are listed below:

storm/avbypass
storm/backshell
storm/ddb
storm/filetransfer
storm/logging
storm/node
storm/powershell
storm/util
storm/ddbinterface
storm/nodeinterface

The malware has some simple antivirus (AV) evasion techniques. It uses sleeps, memory allocations and generation of random numbers. The “allocateMemory” function is very simple. The core function body is shown in Figure 1. It allocates 100 byte arrays with a size of 3 MB each.

memoryAllocation function
Figure 1: Showing memoryAllocation function. The function creates 100 (0x64) byte arrays with space for 3 MB (0x2dc6c0).

Instead of using Mutexes or window names to ensure singe execution, IPStorm uses the third-party package “single” (github.com/marcsauter/single). Single uses lock files to ensure only one instance is running. The “single” name used by the malware is “n3R1PYfY”, the lock file is placed in the %TMP% folder (%TMP%\n3R1PYfY.lock). When the malware is sure only one instance is running, it performs an enumeration of the infected machine. It uses the third-party package goInfo (github.com/matishsiao/goInfo) and PowerShell commands to collect most of the information. The collected user information is published to the p2p network is shown in the struct below:

type node.NodeInfo struct {
HostID string
Version string
Platform string
SystemInfo goInfo.GoInfoObject
Uid string
Gid string
UserName string
UserDisplayName string
UserHomeDir string
IsAdmin bool
ExecutablePath string
ComputerID string
}

To ensure the malware can connect to the p2p network, it adds a rule to the firewall. For the networking part, the malware uses “libp2p”. The underlying protocol used by the library is “protobuf”. The malware uses the PubSub functionality provided by the project. It uses two topics: “info” and “cmd”. To find other peers, it uses libp2p’s support for distributed hash tables (DHT). The new bot uses a hardcoded string to advertise its presence and to find other peers.

The malware has support for downloading and uploading files. It is performed by sending the content over the PubSub network. Each bot in the network serve its executable file and the threat actor uses this method to distribute newer versions of the bot. It also has a “reverse shell” (called “backshell” by the author) functionality. With this functionality, the threat actor can execute any arbitrary PowerShell code on the infected machine. The malware installs itself under the following location:

Read the rest in this link
First Aid: IOCs

2545175418021b0bcdce1fa055dc292500fa9895857c6df86461f9d74a342d15
41ec6577b3a362cf9e5b136ca3971204147bc6c171b65bab3546f631a5c2efe0
49c3fa3a2b7b5894559a28456ad611fa4692f72c1ec86eee925df81735278d53
5918446d82bd8d6c40c6cdf5ab70a012f27939e9154e26f79a7c9870811cad8c
5d980fa37aef47022941f6afffe718ed0eed4de746edd7f494a407f84e75fd50
7f731d2502dd39cbc16193ca7e9d147fe158c10236e00c634bb0680e2bfc4bfa
8531921258132a4eb9b4b4545e85c72c2815d53c22f72f92822c199a15562a7c
8b24e640338654fbda233f50766136a9cf33f1a5444fd98162edbc2bdaf324c2
c0cfc62c5c349523884d502088234026c3eb67c802d7d02018e7aa9337930e0b
c19b34621a7a57d831113e0b854bbc1fa7217d578ca9bd477d805f56a73a0100
cc124869cbc871ec99d3470f2287df816a5f75a05eaf79df65a8ecf9a8283eb9
f987928992a9c43c65429d2abe93b4683a027b520d79246248fca49c31f234d7
fe8dc4955f2e04bbf800e913d29848c2b99999554a802226e72ce68b6d8c71f7
01658e8cc706056aca50304b29bfcab92a60cd38771f2b3069ba94f525661122
039ae75eff58a5b1125c6d3248dfce338573a9040709b3a9e8cf910a1b4ada75
2accb615e375b99bb92c67655ad9558c44782148d8264ef94e5a0a7d4dc1c5da
2e751a9874267b100b10196ebbef58cfcf46644651b099c8a9cd1dd7cee64e8f
3276bcd9b95a28234c1ea5205d8c2358f5040e694331a16cef09d273b6238178
365480a61e39b67234692ba8b75b95749434aba28c952ac32f70ed777d25810a
36d652460b71f6e9aca16ba331197fc384f323f70ea879ec8ea40a7a5f554a7e
4549a271e2c4b157c8abe099d2e84c8f3d7c18782956267429e0be6e17eaed41
500f004eb51f282c14939ba52a5d85ac71f85e1f0ede00803a6ae3a2f01c272d
66d3799fc8132376d87f326f0131c41afecef560b0368bc54cc27b816025d9e6
948042a3071a4a6e1063f2e09717fd70f23e2c37cbdf024ccded76477b94778e
a2d36f477e2a87acab32a1988f77b00ce9f24d61a4a21e63a8c67747ff2633fd
af32455f41865094da020cad2675775bddd907020ed12d4ed68de5051ed62643
de0b86fe66be7ef3f30f28d514c8bbced2973e78d9473671f16f4365e05e5a99
e093152a3e44279259839e1c35eeaeb5ea0803611747b8b38acaffd65a83f83a
f5ac2e7a6cfe6ce576a9c0df3721f90c5be93b5e4694716470ec7ea3c7492f59

Mitre ATT&CK

T1059
T1132
T1041
T1112
T1086
T1012
T1060
T1045
More info: https://www.anomali.com/blog/the-interplanetary-storm-new-malware-in-wild-using-interplanetary-file-systems-ipfs-p2p-network

Date added June 12, 2019, 7:03 p.m.
Source Anomali
Subjects
  • All New Malware or Attack Alerts - New Reports / IOCs in
  • General Malware - New Reports in
  • . NEW Hack and Attack Methods