Barracuda Networks detects a new variant of the InterPlanetary Storm malware that has been targeting Mac and Android devices in addition to Windows and Linux machines. The malware is building a botnet, which Barracuda researchers estimate currently includes roughly 13,500 infected machines located in 84 different countries around the world, and that number continues to grow. The majority of the machines infected by the malware are located in Asia.
The first variant of Interplanetary Storm, which targeted Windows machines, was uncovered in May 2019. Its capability of attacking Linux machines was reported in June of this year. This new variant, which Barracuda researchers first detected in late August, is targeting IoT devices, such as TVs that run on Android operating systems, and Linux-based machines, such as routers with ill-configured SSH service.
The new InterPlanetary Storm malware uses the InterPlanetary File System (IPFS) p2p network and its underlying libp2p implementation to access machines and spreads using SSH brute force and open ADB ports, similar to its peer FritzFrog malware. This allows infected nodes to communicate with each other directly or through other nodes. Written in the Go (Golang) programming language, malware detects the CPU architecture and running OS of its victims, and run on ARM-based machines, an architecture that is quite common with routers and other IoT devices. The malware also enables reverse shell and can run bash shell.
Barracuda researchers have found several unique features designed by the cybercriminal organisation to help the malware persist and protect it once it has infected a machine. It detects the computer security mechanism, honeypots, auto updates itself, tries to persist itself by installing a service using a Go daemon package and also kills other processes on the machine that pose a threat to the malware, such as debuggers and competing malware.
Speaking on the threat spotlight, Murali Urs, Country Manager-India, Barracuda Networks, commented “While the botnet that this malware is building does not have clear functionality yet, it gives the campaign operators a backdoor into the infected devices so they can later be used for cryptomining, DDoS, or other large-scale attacks. Although many cases of the new variant have been reported from Asian countries like China, Hong Kong, South Korea, and Taiwan, Indian IoT devices haven’t been much in the radar of the cybercriminal organisations. It is still important for us to remain vigilant.”
Such a rapidly evolving threat environment requires advanced inbound and outbound security techniques that go beyond the traditional gateway. To safeguard IoT devices against this malware variant, it will be necessary to properly configure SSH access on all devices. This means using keys instead of passwords, which will make access more secure. When password login is enabled and the service itself is accessible, the malware can exploit the ill-configured attack surface. Since the issue is common with routers and IoT devices, they become easy targets for the InterPlanetary Storm malware.
Meanwhile, to monitor SSH access control, a cloud security posture management tool must be used that will eliminate any configuration mistakes, which can be catastrophic. To provide secured access to shells, it will be ideal for the users to deploy an MFA-enabled VPN connection instead of exposing the resource on the internet, and segment their networks for specific needs instead of granting access to broad IP networks.
