IPStorm
IPStorm is a Trojan botnet or decentralized network of infected computers. IPStorm can execute arbitrary PowerShell code for conducting various attacks, such as installing another Trojan, DDoSing a server or mining cryptocurrency. Users can IPFS-based traffic as a workaround for stopping its C&C communications until they remove IPStorm with an appropriate anti-malware tool.
Trojans Going Interplanetary
Decentralization is a useful structural philosophy for law-abiding citizens and criminals alike, and it should surprise few readers that user-based networks like torrents reappear in Trojan campaigns very regularly. A rising botnet is taking full advantage of everything that the lack of a centralized server authority has to offer – by hijacking a normally-legitimate network service and turning it into a series of C&Cs. Although service-hijacking has taken place before, IPStorm is the first case that malware experts can confirm of IPFS being the target of this misuse.
IPFS, or the Interplanetary File System, is a torrent-like protocol and network whose newsworthy uses include providing access to resources like Wikipedia for residents of countries whose ISPs are blocking it, as well as the Filecoin cryptocurrency. IPStorm hides its Command & Control communications behind the guise of this 'normal' peer-to-peer traffic, which could fool a variety of networking analysis tools, AV products and ordinary PC users. IPStorm is in the wild and, although its botnet is a small one of under three thousand compromised Windows machines, malware experts rate its future growth as being, potentially, explosive.
Other traits of IPStorm are in line with those of similarly professionally-designed, Black Hat 'business' software. It uses a compartmentalized, modular setup that makes swapping payloads and selective update deliveries friendly for the criminals. It runs PowerShell commands for executing various attacks and may sleep or hibernate periodically. The Trojan also tends towards hiding its components under the names of companies like Microsoft or Adobe.
Settling Down the Invading Storm
IPStorm offers a possible threat to more than just Windows users. Recent examinations of its samples imply that the developers, whose identities are unknown, are considering porting the Trojan over to other operating systems like Linux and MacOS. This Go-based Trojan is using infection strategies that, like the names of its authors, remains questionable, and malware experts only can recommend general precautions, such as disabling RDP and using non-brute-forcible passwords.
Possible payloads arriving through IPStorm include the following, among other, less likely options:
- Distributed-Denial-of-Service (DDoS) attacks for crashing external servers.
- Dropping high-level threats such as AZORult spyware, backdoor Trojans or Ransomware-as-a-Service families.
- Hijacking the CPU and GPU for mining cryptocurrency.
Although not all of these dangers direct themselves towards the PC's user, most of them include invasive and unwanted side effects, including risks of damage to your hardware or files. Anti-malware services should have updated databases for eliminating IPStorm accurately since it's identifiable by no more than one out of every two AV vendors currently.
The Interplanetary Storm or IPStorm Trojan may be getting its brand and philosophical inspiration from Storm, another peer-to-peer threat from years ago. Old tricks of technological warfare, if still applicable, will see themselves recycled over and over again – until they stop working against protected users.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.