Cybercriminals set up and use botnets to carry out DDoS attacks, steal data and send spam but now researchers from Bitdefender have found signs that the Interplanetary Storm botnet could be potentially be used for something else entirely.
Interplanetary Storm (IPStorm) was first discovered by researchers from the cybersecurity firm Anomali in June of last year. However, Bitdefender came upon a new campaign using the botnet when it attacked the company’s SSH honeypots in May of this year.
The malware has continued to evolve since then as its creators have integrated new features in an attempt to try to hid its activities with innocuous traffic. IPStorm’s capabilities include being able to backdoor a device running shell commands and generating malicious traffic by scanning the internet and infecting other devices.
Bitdefender provided further insight on IPStorm in its new white paper titled “Looking Into the Eye of the Interplanetary Storm”, saying:
“Compared to other Golang malware we have analyzed in the past, IPStorm is remarkable in its complex design due to the interplay of its modules and the way it makes use of libp2p’s constructs. It is clear that the threat actor behind the botnet is proficient in Golang; one consequence of the malware author’s good coding practices, namely their thoroughness in error handling, is that it makes the reverse engineering process easier, as many code sequences are accompanied by relevant logging strings.”
Subscription-based proxy network
In its new iteration, IPStorm propagates by attacking Unix-based systems including Linux, Android and Darwin which run internet-facing SSH servers with weak credentials or unsecured ADB servers.
Bitdefender believes that the botnet has the potential to be used as an anonymization proxy-network-as-a-service that could be rented out to other cybercriminals using a subscription-based model.
While the botnet has previously been scrutinized by the firm’s researchers, constant monitoring of the development lifecycle of IPStorm has revealed that the cybercriminals behind it are proficient in using Golang and development best practices as well as concealing the botnet’s management nodes.
At the same time, IPStorm has a complex and modular infrastructure designed to seek and compromize new targets, push and synchronize new versions of the malware, run arbitrary commands on infected machines and communicate with a C2 server that exposes a web API.
The IPStorm botnet is certainly one to watch especially if Bitdefender’s prediction that it could be rented out as a proxy network comes true.