Security news that informs and inspires

Threat Actors Abuse InterPlanetary File System Protocol to Spread Malware

By

Threat actors leveraged an emerging distributed file storage protocol in attacks deploying a Python-based information stealer called Hannabi Grabber.

Threat actors are leveraging InterPlanetary File System (IPFS), an emerging distributed file storage protocol that enables computers to store and serve files as part of a peer-to-peer network, in order to host payloads for a Python-based information stealer called Hannabi Grabber.

Overall, researchers with Cisco Talos in a Wednesday analysis said that they are seeing increasingly widespread abuse of IPFS by threat actors to host phishing kit infrastructure and malware payloads. The technology has been developed to enable the decentralized storage of resources across the internet, such as tools used to render web pages or files that can be accessed by internet users.

However, researchers with Cisco Talos said that this legitimate use also makes it harder for security teams to sniff out malicious IPFS activity. This has been a driving factor behind a growing volume of malware samples - including Hannabi Grabber and Agent Tesla - in attacks this year that leverage IPFS.

“Over the past few years, Talos has observed an increase in the number of cybercriminals taking advantage of technologies like the InterPlanetary File System (IPFS) to facilitate the hosting of malicious content as they provide the equivalent of ‘bulletproof hosting’ and are extremely resilient to attempts to moderate the content stored there,” said Edmund Brumaghin, threat researcher with Cisco Talos, in a Wednesday analysis.

Resources stored within IPFS can be accessed using an IPFS client or by building an IPFS “gateway” using publicly available tools. Any computer can download the IPFS software in order to start hosting and serving files, and because of this ease of use, coupled with challenges around the moderation of IPFS hosted content, IPFS is lucrative for attackers, said researchers.

“Unlike traditional web hosting technologies where specific companies are responsible for moderating content stored on their platform(s), IPFS is decentralized,” said Brumaghin. “There is no entity that can modify/remove that content. Content stored within the IPFS network is synchronized across multiple systems participating in the network such that if a system exists on the network with a copy of the content, the content will be accessible.”

Hannabi Grabber Information Stealer

Researchers have seen IPFS being leveraged both to host phishing kits and in malware campaigns. Researchers also observed a number of malware payloads being uploaded to public sample repositories that represented loaders with final payloads hosted on IPFS networks. These final payloads included reverse shell payloads, a batch file designed to destroy victim systems and the previously unseen Hannabi Grabber malware.

Hannabi Grabber, which leverages Discord Webhooks for command-and-control and data exfiltration, aims to steal data from a variety of apps on victim systems - such as Discord, Opera Software, Yandex and Brave - as well as retrieve password and cookie data from browsers like Google Chrome. Brumaghin said overall, Hannabi Grabber has a significant amount of functionality that is typical for information-stealing malware.

“Typically, attackers will attempt to leverage PyInstaller or Py2EXE to compile their Python into a PE32 file format prior to distributing it to victims,” said Brumaghin. “This is a case where instead, the attacker chose to include a Python installation process during the infection and is leveraging Python directly to steal sensitive information from victims.”

In another incident, researchers observed attackers sending a PDF purporting to be associated with DocuSign, and when the target clicked on the “Review Document” link they were redirected to what appeared to be a Microsoft authentication page and prompted to enter their email address and password. Here, the phishing landing page was being hosted on the IPFS network. Attackers were also seen sending a malspam email to targets pretending to be from a Turkish financial institution with an attachment purporting to be an outstanding payment confirmation. The attachment, a ZIP file with a PE32 executable, was actually a downloader that connected to an IPFS gateway to retrieve a next-stage malware payload for the Agent Tesla RAT hosted in the IPFS network.

Brumaghin said that attackers will continue to close in on new technologies that are related to the emerging concept of the distributed web, also referred to as Web3.

“The emergence of Web3 technologies such as cryptocurrencies have had a direct impact on the threat landscape and are a major contributor to the explosion in ransomware over the past several years,” said Brumaghin. “IPFS has been identified by adversaries as providing significant benefits in malware distribution and phishing and will likely continue to be used with increasing frequency moving forward.”