Threat Research

FBI Takedown: IPStorm Botnet Infrastructure Dismantled

Securonix

FBI dismantled the IPStorm botnet infrastructure with a guilty plea linked to its operator, while Intezer analyzed cross‑platform IPStorm variants expanding from Windows to Linux, macOS, and Android. The research highlights IPStorm’s use of IPFS for C2, Linux-specific propagation via SSH brute‑force, Android spread, fraud monetization, and cross‑OS persistence methods. #IPStorm #IPFS

Keypoints

  • IPStorm is a cross‑platform Golang malware family targeting Windows, Linux, macOS, and Android.
  • Linux variant adds SSH brute‑force propagation and fraudulent network activity via Steam and ads platforms.
  • IPStorm uses a legitimate peer‑to‑peer network (IPFS) to obscure malicious traffic and enable C2.
  • Linux variant introduces new packages (e.g., storm_starter, storm_malware_guard) and a reverse shell capability.
  • Linux persistence relies on a systemd service; Windows persistence uses Run registry keys.
  • Android propagation occurs via ADB, delivering an Android IPStorm payload downloaded from the P2P network.
  • Anti‑analysis techniques include honeypot avoidance and antivirus evasion across variants.

MITRE Techniques

  • [T1021.004] Remote Services – SSH – The Linux variant uses SSH brute‑force as a means to spread to additional victims. Quote: “…using SSH brute-force as a means to spread to additional victims…”
  • [T1090] Proxy – IPFS C2 – IPStorm abuses a legitimate Peer‑to‑Peer network (IPFS) as a means to obscure malicious traffic. Quote: “IPStorm is a botnet that abuses a legitimate Peer‑to‑peer (p2p) network called InterPlanetary File System (IPFS) as a means to obscure malicious traffic.”
  • [T1016.001] System Network Configuration Discovery – The malware contacts external services to determine the victim’s external IP. Quote: “the malware sends HTTP requests to different services … to receive the external IP address of the victim server.”
  • [T1497] Virtualization/Sandbox Evasion – Honeypot detection by hostname to avoid Cowrie SSH honeypot. Quote: “hostname of the attacked server to the string ‘svr04’, which is the default hostname of Cowrie SSH honeypot.”
  • [T1059.003] Unix Shell – Linux reverse shell – The Linux variant includes reverse shell as part of its main features. Quote: “including reverse shell, which was previously seen in the Windows variant…”
  • [T1543.003] Create/Modify System Process: Service – Linux persistence via a systemd service. Quote: “The Linux version … will create a systemd service to achieve persistence and copy itself to /usr/bin/storm.”
  • [T1547.001] Boot or Logon Autostart Execution: Run Keys/Startup Folder – Windows persistence via HKCU Run registry key. Quote: “copying itself to a random location and adding the program to the: HKCU:SoftwareMicrosoftWindowsCurrentVersionRun registry key.”
  • [T1562.001] Impair Defenses: Disable Security Tools – Linux uses storm_malware_guard to terminate suspicious processes for AV evasion. Quote: “The file iterates through all current running processes in order to find and terminate ones that might detect the malware’s activity.”
  • [T1105] Ingress Tool Transfer – Android payload delivery to devices via ADB, downloaded from the P2P network. Quote: “checks for devices connected with ADB … it will upload an Android version of IPStorm to the device, which was previously downloaded from the P2P network.”

Indicators of Compromise

  • [File hash] Linux – 3aff4695c73709e2e0e55665c4850aa45064723a2c83e75325b27e77ec5f6d97, 658638c6bef52e03e6aea4b6c1b2b3b8d81ad40144b56b2122d96e6957c33117
  • [File hash] macOS – 522a5015d4d11833ead6d88d4405c0f4119ff29b1f64b226c464e958f03e1434

Read more: https://intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint