A storm is brewing as a growing botnet is poised to attack ARM-based smart devices and computers in the region.

The cybercriminal organization behind the InterPlanetary Storm malware has released a new variant into the wild, now targeting Mac and Android, in addition to Windows and Linux machines.

The InterPlanetary Storm is so named because it uses the InterPlanetary File System (IPFS) p2p network and its underlying libp2p implementation.  The malware was uncovered in May 2019, and a variant capable of attacking Linux machines was reported in June of this year. The latest variant, first detected in late August, is targeting IoT devices, such as TVs that run on Android operating systems, and Linux-based machines, such as routers with ill-configured SSH service. 

All these developments were unveiled by from Barracuda Networks, whose researchers say the malware is building a botnet estimated to include roughly 13,500 infected machines located in 84 different countries around the world. The majority of the these (62%) are based in Asia, as follows:

  • 59% of infected machines are in Hong Kong, South Korea, and Taiwan
  • 8% are in Russia and Ukraine
  • 6% are in Brazil
  • 5% are in the United States and Canada
  • 3% are in Sweden
  • 3% are in China
  • All other countries: 1% or less

The new variant gains access to machines by running a dictionary attack against SSH servers, similar to FritzFrog, another peer-to-peer (p2p) malware. It can also gain entry by accessing open ADB (Android Debug Bridge) servers. The malware detects the CPU architecture and active operating system of its victims, and can run on ARM-based machines, which are quite common in routers and other IoT devices.

Said James Forbes-May, Vice President of APAC, Barracuda: “While the botnet that this malware variant is building does not have clear functionality yet, it gives the campaign operators a backdoor into the infected devices so they can later be used for crypto mining, DDoS, or other large-scale attacks. We have seen many cases of the new malware variant in Asia, so far targeting IoT devices in China, Hong Kong, South Korea, and Taiwan, but these cases continue to rise, so it’s important to remain vigilant.”

Self-preservation techniques

Barracuda researchers have found that the malware uses several unique features to protect itself once it has infected a machine. These include automatically updating itself to the latest available version; installing a service using a Go daemon package, and killing other processes on the machine that pose a threat to the malware, such as debuggers and competing malware.

“In order to protect against such attacks, it’s incredibly important to properly configure SSH access on all devices, said Forbes-May. “This means using keys instead of passwords, which will make access more secure. When password login is enabled and the service itself is accessible, the malware can exploit the ill-configured attack surface. This is an issue common with routers and IoT devices, so they make easy targets for this malware, he added.

To install an additional layer of security against this kind of attack, organizations are advised to monitor SSH access control to eliminate any configuration mistakes, segment their networks, and deploy an Multi-factor Authentication-enabled VPN connection.