Pierluigi Paganini
November 15, 2023
The IPStorm botnet was first uncovered in May 2019 while targeting Windows systems, not experts from Intezer reported that the bot evolved to infect other platforms, including Android, Linux, and Mac devices.
IPStorm botnet continues to infect systems across the world, its size passed from around 3,000 infected systems in May 2019 to more than 13,500 devices in October 2020.
The name IPStorm is the abbreviation of InterPlanetary Storm that came from the InterPlanetary File System (IPFS), which is a peer-to-peer protocol used by the bot for communications with the intent to obscure the malicious traffic.
The bot was written in the Go programming language, it was initially designed to compromise Windows systems only. In June security firms Bitdefender and Barracuda discovered new IPStorm versions that are able to target also Android, Linux, and Mac.
The experts from both security firms reported that IPStorm was infecting Android systems with ADB (Android Debug Bridge) port exposed online.
The bot was also targeting Linux and Mac devices and performing dictionary attacks against SSH services to guess their username and passwords.
Once a connection is established, the malware will check the presence of a honeypot by comparing the hostname of the attacked server to the string “svr04”, which is the default hostname of Cowrie SSH honeypot.
“The Linux variant has additional features over the documented Windows version, such as using SSH brute-force as a means to spread to additional victims and fraudulent network activity abusing Steam gaming and advertising platforms.” reads the Intezer’s report. “The Linux variant has adjusted some features in order to account for the fundamental differences that exist between this operating system and Windows.”
The IPStorm bot also kills a list of processes that could potentially interfere with its operations.
The FBI this week revealed US law enforcement’s dismantlement the IPStorm botnet. The joint international investigation was conducted by the FBI San Juan Cyber Team, with cooperation from the FBI legal attaché office in Madrid in coordination with the Spanish National Police-Cyber Attack Group; and the FBI Legal Attaché office in Santo Domingo, in coordination with the Dominican National Police-Interpol and Dominican National Police-International Organized Crime Division, and Ministry of the Interior and Police-Immigration Directorate. The National Cyber-Forensics and Training Alliance (NCFTA.net), including Bitdefender DRACO Team, Anomali Threat Research, and Intezer and helped investigators.
Russian-Moldovan national Sergei Makinin pled guilty to operating the illegal botnet.
The man claimed to have a botnet composed of 23,000 ‘highly anonymous’ proxies worldwide, it offered its service through the websites ‘proxx.io’ and ‘proxx.net.’
“According to court documents, from at least June 2019 through December 2022, Makinin developed and deployed malicious software to hack thousands of Internet-connected devices around the world, including in Puerto Rico. Makinin controlled these infected devices as part of an extensive botnet, which is a network of compromised devices.” reads the press release published by DoJ. “The main purpose of the botnet was to turn infected devices into proxies as part of a for-profit scheme, which made access to these proxies available through Makinin’s websites, proxx.io and proxx.net.”
The man admitted that he gained at least $550,000 from the fraudulent activity, he will forfeit cryptocurrency wallets used to hold the crime proceeds.
“This investigation shows that we will use every lawful tool at our disposal to disrupt cybercriminals, regardless of their location,” said U.S. Attorney Stephen Muldrow. “This case serves as a warning that the reach of the law is long, and criminals anywhere who use computers to commit crimes may end up facing the consequences of their actions in places they did not anticipate.”
Makinin faces a maximum penalty of 10 years in prison.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, critical infrastructure)
