The feared InterPlanetary Storm malware has a new variant.
According to the monthly “Threat Spotlight: New InterPlanetary Storm variant targeting IoT devices,” a report by Barracuda, the malware now infects 13,500 Mac, Android, Windows, and Linux machines in 84 countries.
On Oct 13, 2020, 27%% of infected machines were located in Hong Kong, 17% in South Korea, 15% in Taiwan, 8% in Russia and Ukraine, 6% in Brazil, 5% in the U.S. and Canada, 3% in China, 3% in Sweden, and 1% or less in other countries.
Hong Kong having the highest number of infected machines is nothing new. Botnet (bots) events have always been a significant cyber threat in Hong Kong.
According to the Hong Kong Security Watch Report issued by Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT), there were 5,952 botnet (bots) events reported in the Q2 of 2020 in Hong Kong.
The new variant of InterPlanetary Storm malware is different. First, it is fast and gains access to machines by running a dictionary attack against SSH servers, similar to FritzFrog, another peer-to-peer (p2p) malware. It can also gain entry by accessing open ADB (Android Debug Bridge) servers. The malware detects the CPU architecture and running OS of its victims, and it can run on ARM-based machines, an architecture that is quite common with routers and other IoT devices.
The malware is called InterPlanetary Storm because it uses the InterPlanetary File System (IPFS) p2p network and its underlying libp2p implementation. This allows infected nodes to communicate directly or through other nodes (i.e., relays).
This new variant, which Barracuda researchers first detected in late August, is targeting IoT devices, such as TVs that run on Android operating systems and Linux-based machines, such as routers with ill-configured SSH service.
HKCERT also warned in 2019 that, among all IoT devices, the webcam is one of the most popular IoT devices used in Hong Kong, but they may not be installed securely in the households.
While the botnet that this malware is building does not have clear functionality yet, it gives the campaign operators a backdoor into the infected devices for crypto mining, DDoS, or other large-scale attacks.
The new variant of InterPlanetary Storm is written in Go, uses the Go implementation of libp2p, and is packed with UPX. It spreads using SSH brute force and open ADB ports, and it serves malware files to other nodes in the network. The malware also enables a reverse shell and can run a bash shell.
It also has several unique features, such as:
Barracuda advises the following:
Image credit: iStockphoto/Elen11