Unit 42 observed a rapid shift toward using IPFS as a vehicle for malicious activity in 2022, spanning phishing, credential theft, C2 communications, and payload delivery. The decentralized, bullet-proof hosting nature of IPFS makes takedowns difficult, enabling campaigns to persist across nodes and gateways.
#IPFS #OriginLogger
#IPFS #OriginLogger
Keypoints
- There was a significant surge in IPFS-related traffic starting in early 2022, with a 178% jump from Q4 2021 to Q1 2022 and a VirusTotal increase exceeding 6,500% in the same period.
- Threat actors discussed adopting IPFS on dark web forums and advertised IPFS-hosted services for their campaigns.
- IPFS was observed supporting phishing, credential theft, C2 communications, and malicious payload distribution in multiple campaigns.
- Phishing content hosted on IPFS is hard to remove due to its distributed nature, enabling longer-lived campaigns and resilient takedown resistance.
- Campaigns included DHL-themed phishing emails with IPFS links, unescaped scripts, and HTTP POST credential exfiltration using headless forms and external endpoints like fairpartner.ru.
- Malware families and tools such as OriginLogger, XLoader, XMRig, Metasploit, IPStorm, and Dark Utilities leveraged IPFS for delivery, C2, or staging infrastructure.
MITRE Techniques
- [T1566.002] Phishing: Spearphishing Attachment – ‘In the example below, an email lure mimicking the DHL brand contains an attachment. Within that attachment, there is an IPFS link to the actual phishing page.’
- [T1059.007] JavaScript – ‘phishing pages are hosted as HTML pages … The function named WriteHTMLtoJS … unescape the contents.’
- [T1140] Deobfuscate/Decode Files or Information – ‘The unescape JS function is responsible for decoding hexadecimal sequences with their actual ASCII character values.’
- [T1105] Ingress Tool Transfer – ‘The URL is used for downloading the OriginLogger payload via IPFS gateway.’
- [T1041] Exfiltration Over C2 Channel – ‘After a victim enters credentials, it will be sent via an HTTP POST request to … fairpartner.ru.’
- [T1071.001] Web Protocols – ‘IPStorm uses IPFS as a C2 channel for P2P communications.’
- [T1056.001] Keystroke Logging – ‘OriginLogger targets keystrokes and clipboard data, which is communicated back to an actor-controlled server through a C2 channel.’
Indicators of Compromise
- [Hash] Phishing – 460a3720734df53891c36340dc037122d73103517fe57b7c36480dfae3c0f4d7
- [Hash] Phishing – 2a060e0db155844605077e78270b45b8627c2aedef503b26fc6ecaf2f6742023
- [Hash] OriginLogger – edfc3c3090eba1aba9c9960d68a1464bcf668773a1eec38ec8c54c357dca0c61
- [Hash] OriginLogger – 3b9ef32ea71c375cd63e599a54ca3f5b58ac8b6e589c3036a3a0d4886c730ddd
- [Hash] OriginLogger – cfa0a616bb5e61e215e915a3d7942094db58b8c3f8a613d9410a807df4837d5a
- [Hash] OriginLogger – 3072a7ec1f71a9adc7a714092172e4b763a9f7128ead2ae67e72663863b1143b
- [Hash] XLoader – a12635fd762876c38da85b88adf42141beb117cc12464c3e0d122c9395bd2a4b
- [Hash] XLoader – 1a41a5bf751fd2deb7cf46b231e45843adc5f036149979de847c053177be2eb8
- [Hash] XMRig – a372e07a691f8759e482615fd7624bfca2a2bc2cd8652a47ff9951ff035759a5
- [Hash] XMRig – d1ea28dee35382c510a49e4304ed7cead25bcee5cc869c73c9c53f333139e060
- [Hash] Metasploit – 894b5e81fe56418b8df30639fd8b8c484c934aba8a121397b592039e07f766ee
- [Hash] IPStorm – b8ee3897aff6c6660557a4c73b243870020705df6c87287040bfcd68b7c8b100
- [Hash] IPStorm – 765a4d57b2db92c2fd904b11a3e2dd26cdaa38843cc1760ae84e3334822bf4c4
- [Hash] IPStorm – cdddd240d432b084b2c5cbe6b4a89b39a33d97840630210772b7758ec87dcacd
- [Hash] Dark Utilities – 65a1b3fb9430c7342d13f79b460b2cc7d9f9ddced2aeecd37f2862a67083e68c
- [Hash] Dark Utilities – c9deeda7cd7adb4ff584d13ea64cdb50c9e8b5c616f1dff476f372e86c9b9be6
- [Hash] Dark Utilities – 554f955a405be9393eb2e9af182029029d562d79d23a6a8663704b1c00abfb56
- [Hash] Dark Utilities – 583d96d55608ab7079b7867c34c195766699a711ef3aa9df826ac3c5bc5c3232
- [Hash] Dark Utilities – e1512098be4bd1a8b67839b077a58451941a87407257beb05752155ef5e04d40
Acknowledgments
Read more: https://unit42.paloaltonetworks.com/ipfs-used-maliciously/