Cybercriminals set up and use botnets to hold out DDoS attacks, steal data and ship spam however now researchers from Bitdefender have discovered signs that the Interplanetary Storm botnet may very well be potentially be used for something else entirely.
Interplanetary Storm (IPStorm) was first discovered by researchers from the cybersecurity agency Anomali in June of last year. Nevertheless, Bitdefender came across a new marketing campaign utilizing the botnet when it attacked the company’s SSH honeypots in May of this year.
The malware has continued to evolve since then as its creators have integrated new features in an try to attempt to hid its actions with innocuous visitors. IPStorm’s capabilities embrace being able to backdoor a tool working shell instructions and generating malicious visitors by scanning the web and infecting other devices.
Bitdefender offered further insight on IPStorm in its new white paper titled “Looking Into the Eye of the Interplanetary Storm”, saying:
“Compared to other Golang malware we have analyzed in the past, IPStorm is remarkable in its advanced design because of the interaction of its modules and the way it makes use of libp2p’s constructs. It’s clear that the menace actor behind the botnet is proficient in Golang; one consequence of the malware writer’s good coding practices, specifically their thoroughness in error dealing with, is that it makes the reverse engineering course of easier, as many code sequences are accompanied by related logging strings.”
Subscription-based proxy network
In its new iteration, IPStorm propagates by attacking Unix-based systems including Linux, Android and Darwin which run internet-facing SSH servers with weak credentials or unsecured ADB servers.
Bitdefender believes that the botnet has the potential to be used as an anonymization proxy-network-as-a-service that could be rented out to other cybercriminals utilizing a subscription-based model.
Whereas the botnet has beforehand been scrutinized by the firm’s researchers, fixed monitoring of the event lifecycle of IPStorm has revealed that the cybercriminals behind it are proficient in utilizing Golang and growth greatest practices in addition to concealing the botnet’s administration nodes.
At the identical time, IPStorm has a fancy and modular infrastructure designed to hunt and compromize new targets, push and synchronize new variations of the malware, run arbitrary commands on infected machines and communicate with a C2 server that exposes a web API.
The IPStorm botnet is definitely one to watch especially if Bitdefender’s prediction that it could be rented out as a proxy network comes true.