IPStorm Botnet Expands to Android, macOS, and Linux
The IPStorm botnet was first discovered by Anomali researchers in June 2019, initially targeting only Windows machines. At that time, the botnet consisted of about 3,000 infected systems, but even then, researchers noted several unique and interesting features specific to IPStorm. For example, the full name of the malware—InterPlanetary Storm—comes from the InterPlanetary File System (IPFS), a P2P protocol the malware used to communicate with infected systems and transmit commands.
Additionally, IPStorm was written in the Go programming language. While Go-based malware is more common today, in 2019 it was still relatively rare, making IPStorm an exotic and intriguing example of malicious software.
Interestingly, Anomali’s 2019 report did not explain how the malware spread. Some researchers at the time hoped that IPStorm was just an experiment with IPFS and would not develop further. Unfortunately, those hopes did not come true.
New Versions Target More Platforms
Recent reports from Bitdefender and Barracuda have revealed new versions of IPStorm capable of infecting devices running Android, macOS, and Linux. Experts have also uncovered the botnet’s methods of spreading, disproving the theory that it was merely an experiment. Even more concerning, the number of infected machines has now grown to 13,500 hosts.
According to researchers, the botnet attacks and infects Android devices by scanning the internet for devices with an open ADB (Android Debug Bridge) port. For Linux and macOS devices, the malware uses dictionary attacks on SSH, simply guessing usernames and passwords to gain access.
How IPStorm Operates
Once IPStorm infiltrates a device, the malware checks for the presence of honeypot software, establishes persistence in the system, and then terminates several processes that could threaten its operation.
Although the botnet has been active for over a year, researchers still do not know the ultimate goal of the IPStorm operators. The malware installs a reverse shell on all infected devices but then leaves the systems alone. In theory, this backdoor could be abused in many ways, but so far, the IPStorm operators have not used it. They could potentially install cryptocurrency miners, use the devices as proxies, launch DDoS attacks, or simply sell access to the compromised systems.