IPStorm propagates by attacking Unix-based systems (Linux, Android and Darwin) that run Internet facing SSH servers with weak credentials or unsecured ADB servers. Its capabilities include backdooring the device (running shell commands) and generating malicious traffic (scanning the Internet and infecting other devices). The main purpose of the botnet is turning infected devices into proxies as part of a for-profit scheme. The bot herders are posing as a legitimate proxy service on the Clearnet. Earlier this month, IPStorm introduced a new variant for Linux.
Analysis indicates the authors of the botnet are proficient using Golang as well as development and concealment nodes. The complex infrastructure is designed to seek and compromise targets, update to newer versions, run commands on infected machines, and communicate with C2 servers which uses a web API. Specialized nodes are included within the management structure which provide the checking of node availability, proxy connection, web API hosting, signing authorized messages, and testing the malware. At present there are approximately 9,000 devices making up the botnet. Most of these victims are running an Android OS and Linux. A tiny number of Windows devices are also infected, however, these victims are using older versions of the malware. Targeting has been mostly focused on Asia, however some other countries have been observed such as: Brazil, Ukraine, the US, Sweden, and Canada. The botnet uses a multi-tier subscription-based pricing model. To date, there have been more than 100 code revisions. Interestingly, the malware examines the victim machine in an effort to locate competing malware and, if found, disable it.