A new web3 technology is being abused widely by threat actors, according to security researchers from tech giant Cisco.
What is IPFS ?
The InterPlanetary File System (IPFS) is a protocol and peer-to-peer network for storing and sharing data. It is designed to enable decentralized storage of resources on the internet. It was built to be resilient against content censorship, meaning that it is not possible to effectively remove content from within the IPFS network once it’s stored there.
This includes Dark Utilities, a command-and-control (C2) framework that’s advertised as a way for adversaries to avail remote system access, DDoS capabilities, and cryptocurrency mining, with the payload binaries provided by the platform hosted in IPFS.
Cisco Talos has observed multiple ongoing campaigns that leverage the IPFS network to host their malware payloads and phishing kit infrastructure while facilitating other attacks.
However, researchers with Cisco Talos said that this legitimate use also makes it harder for security teams to sniff out malicious IPFS activity. This has been a driving factor behind a growing volume of malware samples – including Hannabi Grabber and Agent Tesla – in attacks this year that leverage IPFS.
Resources stored within IPFS can be accessed using an IPFS client or by building an IPFS “gateway” using publicly available tools. Any computer can download the IPFS software in order to start hosting and serving files, and because of this ease of use, coupled with challenges around the moderation of IPFS hosted content, IPFS is lucrative for attackers, said researchers.
In one campaign that Talos researchers observed, the attacker sent victims a phishing email with a ZIP attachment containing a malware dropper in the form of a PE32 executable. When run, the downloader would reach out to an IPFS gateway and retrieve a second-stage malware payload hosted on the peer-to-peer network. The attack chain ended with the Agent Tesla remote-access Trojan getting dropped on the victim’s system.
Brumaghin said that attackers will continue to close in on new technologies that are related to the emerging concept of the distributed web, also referred to as Web3.