Home News New InterPlanetary Storm Malware Variant Targets IoT Devices in Asia

New InterPlanetary Storm Malware Variant Targets IoT Devices in Asia

WhisperGate malware campaign, Flagpro malware, MosaicLoader Malware, drinik

Deemed as an “unusual” security threat upon its discovery last year, the InterPlanetary Storm malware has resurfaced into the wild with a few add-on capabilities. It is now targeting Mac and Android-based IoT devices in addition to the Windows and Linux-based machines, with its primary targets set in Asia.

 Key Highlights 

  • The InterPlanetary Storm malware has resurfaced and now targeting Mac and Android-based IoT devices along with its primary targets, the Windows, and Linux-based machines.
  • Researchers have found nearly 13,500 devices being affected by this variant.
  • Majority (62%) of the machines infected by the malware are in Asia.

New Kid on the Block

The researchers at Barracuda have been studying the activity of the operators behind this malware for long and recently found that the malware itself is building a botnet. They fear that this botnet has already infected roughly 13,500 machines across 84 different countries around the globe, with a majority (62%) of them based in Asia.

The percentage-wise break-up of the locations of all infected machines is as follows:

  • 59% of infected machines are in Hong Kong, South Korea, and Taiwan
  • 8% are in Russia and Ukraine
  • 6% are in Brazil
  • 5% are in the United States and Canada
  • 3% are in Sweden
  • 3% are in China
  • All other countries are 1% or less

The InterPlanetary Storm malware, which was discovered in May 2019, uses the InterPlanetary File System (IPFS) p2p network and its underlying libp2p implementation. It first targeted Windows machines; however, the new variant, discovered in June 2020, is capable of attacking Linux and Android-based machines.  It is also targeting IoT devices, such as TVs that run on Android operating systems, and Linux-based machines, such as routers with ill-configured SSH service.

InterPlanetary Storm Malware Infection Routine

The new variant gains access to machines by running a dictionary attack against SSH servers. It can also gain entry by accessing open ADB (Android Debug Bridge) servers. The malware detects the CPU architecture and the OS on its victim’s machine, and then run through the ARM-based machines, which is a CPU based on reduced instruction set computer architecture (RISC), commonly used in routers and other IoT devices.

James Forbes-May, Vice President of APAC for Barracuda, said, “While the botnet that this malware is building does not have clear functionality yet, it gives the campaign operators a backdoor into the infected devices so they can later be used for cryptomining, DDoS, or other large-scale attacks.”

Other Features

Barracuda researchers found several unique features designed to help the malware protect itself once it has infected a machine. These include automatically updating itself to the latest available version; installing a service using a Go daemon package and killing other processes on the machine that pose a threat to the malware, such as debuggers and competing malware.

Forbes-May added, “In order to protect against such attacks, it’s incredibly important to properly configure SSH access on all devices. This means using keys instead of passwords, which will make access more secure. When password login is enabled and the service itself is accessible, the malware can exploit the ill-configured attack surface. This is an issue common with routers and IoT devices, so they make easy targets for this malware.

Using a cloud security posture management tool to monitor SSH access control to eliminate any configuration mistakes, which can be catastrophic, is crucial while deploying an MFA-enabled VPN connection and segmenting your networks, rather than granting access to broad IP networks, can provide an additional layer of security against this kind of attack.