Updated: Oct 6
Botnets are becoming one of the most dangerous attack tools for hackers across the world. They're cheap, effective, and if used properly -- devastating to an organization, even if they have basic protections in place.
According to Intezer's latest discovery blog:
"Our research team recently identified new Linux variants of IPStorm targeting various Linux architectures (ARM, AMD64, Intel 80386) and platforms (servers, Android, IoT). We have also detected a macOS variant. The macOS variant and most of the Linux samples are fully undetected in VirusTotal at the time of this publication. IPStorm is written in Golang, which enabled Intezer Analyze to detect cross-platform code connections between the Linux samples and the Windows malware first reported by Anomali.
The Linux variant has additional features over the documented Windows version, such as using SSH brute-force as a means to spread to additional victims and fraudulent network activity abusing Steam gaming and advertising platforms. The Linux variant has adjusted some features in order to account for the fundamental differences that exist between this operating system and Windows."
"IPStorm has many similarities to Mirai - as it's a new, nasty botnet that will likely be available for hire. Mirai was originally used for DDoS, but is now used for more sophisticated attacks like credential abuse or carding. We see a similar path for IPStorm - it can easily be extended beyond DDoS attacks and go towards where the money is - to commit fraudulent activities at-scale, through automated attacks. Like Mirai, this will be a difficult botnet to contend with as the IP addresses are legitimate." "It's easy to see that a different approach is needed to stop these attacks; one that doesn't require knowledge of known bad IP addresses and rules based on prior attacks. If you apply a zero-trust philosophy to traffic you can better distinguish between bots and humans - even for new attacks that haven't been seen before. Another aspect of preventing these attacks that's not often discussed is to wreck the economics of the attack altogether, making the attack financially unviable for cybercriminals."