Rewterz Threat Alert – IPStorm Introduces a Malware Variant for Linux

Severity

Medium

Analysis Summary

Earlier, a Golang malware targeting Windows, was dubbed IPStorm (InterPlanetary Storm). Recently, new Linux variants of IPStorm are discovered targeting various Linux architectures (ARM, AMD64, Intel 80386) and platforms (servers, Android, IoT). Additionally, a macOS variant is also detected.  IPStorm is a botnet that abuses a legitimate Peer-to-peer (p2p) network called InterPlanetary File System (IPFS) as a means to obscure malicious traffic. It was found the malware eventually allowed attackers to execute arbitrary PowerShell commands on the victim’s machine. 

The Linux variant has additional features over the documented Windows version, such as using SSH brute-force as a means to spread to additional victims and fraudulent network activity abusing Steam gaming and advertising platforms. The Linux variant has adjusted some features in order to account for the fundamental differences that exist between this operating system and Windows.

Impact

• Unauthorized Access
• Fraudulent Network Activity

Indicators of Compromise

MD5

• 2ecb293f939a68c30fa99ff32eebed39
• 74f80c56cb3ecb57ab2d8e505f5ae1d7
• 43292a4852adfa21c2206e1dd65e3837
• 98c8ecb1d107e6b978b8f279ce412b6d
• ecbab0575ea055b6aac9410a5abf4e09
• 3f4989057768b14d7242341cf4f7e743

SHA-256

• 984c5e980fb8a5b7bbc673f923f22ddf06c5dd89fcd0acf774d79d4d193b44c8
• dfeecdd23f28f80e42e58c87c9a4858648964b3100dfb899c61b54aed7856cf7
• 658638c6bef52e03e6aea4b6c1b2b3b8d81ad40144b56b2122d96e6957c33117
• 3aff4695c73709e2e0e55665c4850aa45064723a2c83e75325b27e77ec5f6d97
• 5103133574615fb49f6a94607540644689be017740d17005bc08b26be9485aa7
• 16bcb323bfb464f7b1fcfb7530ecb06948305d8de658868d9c3c3c31f63146d4
• b4c75e1d94bc4c8affd6d9f433585ace2738772e6a04403ab67cce3df9574068
• 522a5015d4d11833ead6d88d4405c0f4119ff29b1f64b226c464e958f03e1434
• 7b044b8eddd20d8e1c7d499a6c34b1bc373f5fe9d59bab7b4e3a341a5f4ce0b5
• aa7639b11f7c852005110e5ac34c9a2c94c562bcc95dbf6f60a1a7192cf8ea77
• 52b081dbaafbbae8ad812f9c50a1a5f7d8b0850b3c6dc69eccb3322f34286c2e
• c247b3c07b4bf13da67c51d5834193d128c45c7e41214096090b5d2610313783
• f4f1fb65df80666fe67b22b84d9d8f967449d1249c33ad97f4305784fa41e747
• d233c37f2d49badbf53d054bce7fb8e787c9973067e8dcd79835d7816aacfa43
• 64abc2cf5866e932b0731a6deb487aa3d9756724250de26bac2fb930cd478dc0
• fbd5e48ee691df949e0dd3687755c80cc5b9d1a1a89e7dc486694370697de893
• bfb69eadee1918a9402478c76dd15696bbac3e3e3e57c9a94c7d51e594b8c657
• b80346c4d31d77fba9427024d34af2f43e64a5272b5bbef28c6bf045a06143ff
• a5468b6130d90bc74cf8e458297f6d4c7fc42b87184623aefd535bca658542ed
• cae8a782765dd0f97e7a812a245cc5b94b3179ced9c8181d0fda13978c9f17be
• 08bf31862577567a56bf3be6425f1ddf4ac90914efd883a75a5a53dbcabd28a2
• 1d0e003ee653d1a7b80ff5e69c33689af04e45fc836a29e0853219dd100fd534
• 50406ec7fa22c78e9b14da4ccc127a899db21f7a23b1916ba432900716e0db3d
• 69ea7bcf3da16d968e6104745c1f015f6371c093188f1061a311a6385985b45b
• 7c41de95313dc98a3fc4f6fe3910759c3561743dacc629dab11e754290f8c7aa
• db9c95bdc4247ff6cdaf8a8e47b4add21a730461d8f6e2693136aecd346b3fb5
• 591770835066958e912ceb445bd865e961ac946e8cf70ced9f0bd75c851d9478
• ef226de8cc53e59c9431838085f3bbd1b8a32f7cc135682033a3fdba19a0ee97
• 79ec318a968679f94d2ab0ba15daaeeb71406d2f744eb0cd1b314c4bb403114d
• 52f215521ba59cb6a51314bd1527f1c540ffc04df924ad971ca2160405879778
• b07c2dfb4c57175446b6188bb4b1722272f63a301f18c5f46ee6401347894fea

SHA1

• 8e5304a17c91b0ded1116f675de68f2ddc4bbdf4
• fa7e339c5fc8613771d3ce89a8273811004d17e5
• d6674f5563f07a4ef2db7e37967cffe78b98e85e
• 3ccdbd4044623f9639277baa9f3dbec42c66fcf0
• 086ce30530db7a1b72b9b0b270cd4a1dcc2fa9e6
• f3a9bd2d22414628bdd9279c62f424e6f2b2dc73

Remediation

Block the threat indicators at their respective controls.