Much like viruses can jump across species, say from birds to humans, malware can jump from initial platforms to new ones to spread infection. This is what has recently happened with InterPlanetary Storm (IPStorm), which was originally seen in the wild on Windows last year, and which now has been observed on Android, Mac, and Linux. Just what is IPStorm and why is it dangerous? This blog post dives into what happened recently and what companies can do to protect against new and evolving botnets and bot attacks.
What Is IPStorm and Why Should You Care?
IPStorm is a botnet that was originally detected last year by cybersecurity firm Anomali, which observed it targeting Windows systems. According to an article by ZDNet, the malware uses the peer-to-peer (P2P) InterPlanetary File System to communicate with infected systems. Unfortunately, this P2P approach gives it more resilience against takedown than centralized, command-and-control botnets. IPStorm was written in Go programming language (“Golang”), which operates in memory and leaves no trace on disk. These two characteristics make it both distinct from other malware and more difficult to deal with. IPStorm allows attackers to execute any number of PowerShell commands on the infected device.
While P2P botnets are still relatively rare, they are increasing in number and scale. For example, Dark Reading recently reported on FritzFrog, which researchers at Guardicore Labs have seen targeting SSH servers since the beginning of this year. In April, Threatpost wrote about DDG, which is considered to be the first P2P cryptomining botnet.
Now, cybersecurity firms Bitdefender and Barracuda have observed IPStorm spreading to other platforms via different methods.
On its BitDefender Labs site, the company notes that “Bitdefender researchers found a new campaign in which threat actors seem to be using the same bruteforcing technique observed with IRCflu to compromise SSH servers and drop the InterPlanetary Storm bot….Unlike the previously known samples, these new variants seem to target multiple Android and Linux architectures, such as Darwin…” Right now the IPStorm botnet looks like it’s taken over 13,500 machines in 84 countries, according to .

