While botnets have been used for anything from performing Distributed Denial-of-Service (DDoS) attacks to stealing data and even sending spam, Bitdefender researchers have found signs that the Interplanetary Storm botnet could be used for something else entirely.
This particular Golang-written botnet could be used as an anonymization proxy-network-as-a-service and potentially rented using a subscription-based model.
While the botnet has come under previous scrutiny from Bitdefender researchers, constant monitoring of the development lifecycle of Interplanetary Storm has revealed that threat actors are both proficient in using Golang and development best practices, and well-versed at concealment of management nodes.
Interplanetary Storm also has a complex and modular infrastructure designed to seek and compromise new targets, push and synchronize new versions of the malware, run arbitrary commands on the infected machine and communicate with a C2 server that exposes a web API.
This research paper offers a glimpse into the inner workings of the Interplanetary Storm botnet, provides an exhaustive technical analysis of the Golang-written binaries along with an overview of the protocol internals and finally, some attribution information.
In its new iteration, IPStorm propagates by attacking Unix-based systems (Linux, Android and Darwin) that run Internet-facing SSH servers with weak credentials or unsecured ADB servers. We have also seen Darwin only in a few entries that seem to represent the same machine, the one used to develop IPStorm.
A complete technical analysis and the Indicators of Compromise associated with this attack are available in the whitepaper below.
tags
Liviu Arsene is the proud owner of the secret to the fountain of never-ending energy. That's what's been helping him work his everything off as a passionate tech news editor for the past few years.
View all postsJune 08, 2023
May 02, 2023
January 11, 2023
January 05, 2023