{ "id": "64eb3730-846a-4b2f-87bd-712b499df9e4", "created_at": "2026-04-06T00:11:27.170384Z", "updated_at": "2026-04-10T03:22:00.943514Z", "deleted_at": null, "sha1_hash": "115aa5b5731b604fef673a0be0e97687f57800be", "title": "Threat Spotlight: New InterPlanetary Storm variant targeting IoT devices", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1535600, "plain_text": "Threat Spotlight: New InterPlanetary Storm variant targeting IoT\r\ndevices\r\nBy Barracuda Networks\r\nPublished: 2020-10-01 · Archived: 2026-04-05 18:47:38 UTC\r\nThe cybercriminal organization behind the InterPlanetary Storm malware has released a new variant into the wild, now\r\ntargeting Mac and Android devices in addition to Windows and Linux machines. The malware is building a botnet, which\r\nBarracuda researchers estimate currently includes roughly 13,500 infected machines located in 84 different countries around\r\nthe world, and that number continues to grow.\r\nThe majority of the machines infected by the malware are located in Asia.\r\n59% of infected machines are in Hong Kong, South Korea, and Taiwan\r\n8% are in Russia and Ukraine\r\n6% are in Brazil\r\n5% are in the United States and Canada\r\n3% are in Sweden\r\n3% are in China\r\nAll other countries are 1% or less\r\nHere is a closer look at this evolving threat and solutions to help detect, block, and remediate the attacks.\r\nhttps://blog.barracuda.com/2020/10/01/threat-spotlight-new-interplanetary-storm-variant-iot/\r\nPage 1 of 6\n\nHighlighted Threat\r\nNew variant of InterPlanetary Storm malware — This new malware variant gains access to machines by running a\r\ndictionary attack against SSH servers, similar to FritzFrog, another peer-to-peer (p2p) malware. It can also gain entry by\r\naccessing open ADB (Android Debug Bridge) servers. The malware detects the CPU architecture and running OS of its\r\nvictims, and it can run on ARM-based machines, an architecture that is quite common with routers and other IoT devices.\r\nThe malware is called InterPlanetary Storm because it uses the InterPlanetary File System (IPFS) p2p network and its\r\nunderlying libp2p implementation. This allows infected nodes to communicate with each other directly or through other\r\nnodes (i.e. relays).\r\nThe first variant of Interplanetary Storm, which targeted Windows machines, was uncovered by researchers at Anomali in\r\nMay 2019, and a variant capable of attacking Linux machines was reported in June of this year. This new variant, which\r\nBarracuda researchers first detected in late August, is targeting IoT devices, such as TVs that run on Android operating\r\nsystems, and Linux-based machines, such as routers with ill-configured SSH service.\r\nWhile the botnet that this malware is building does not have clear functionality yet, it gives the campaign operators a\r\nbackdoor into the infected devices so they can later be used for cryptomining, DDoS, or other large-scale attacks.\r\nThe Details\r\nThis variant of InterPlanetary Storm is written in Go, uses the Go implementation of libp2p, and is packed with UPX. It\r\nspreads using SSH brute force and open ADB ports, and it serves malware files to other nodes in the network. The malware\r\nalso enables reverse shell and can run bash shell.\r\nBarracuda researchers found several unique features designed to help the malware persist and protect it once it has infected a\r\nmachine.\r\nIt detects honeypots. The malware looks for the string \"svr04\" in the default shell prompt (PS1), which was used by\r\nthe Cowrie honeypot before.\r\nIt auto updates. The malware compares the version of the running instance with the latest available version and will\r\nupdate accordingly.\r\nIt will try to persist itself by installing a service (system/systemv), using a Go daemon package.\r\nIt kills other processes on the machine that pose a threat to the malware, such as debuggers and competing\r\nmalware. It does so by looking for the following strings in process command lines:\r\n\"/data/local/tmp\"\r\n\"rig\"\r\n\"xig\"\r\n\"debug\"\r\n\"trinity\"\r\n\"xchecker\"\r\nhttps://blog.barracuda.com/2020/10/01/threat-spotlight-new-interplanetary-storm-variant-iot/\r\nPage 2 of 6\n\n\"zypinstall\"\r\n\"startio\"\r\n\"startapp\"\r\n\"synctool\"\r\n\"ioservice\"\r\n\"start_\"\r\n\"com.ufo.miner\"\r\n\"com.google.android.nfcguard\"\r\n\"com.example.test\"\r\n\"com.example.test2\"\r\n\"saoas\"\r\n\"skhqwensw\"\r\nInterplanetary Storm announced keys\r\nThe malware’s backend advertises the following keys into the IPFS Distributed Hash Table (DHT). Infected nodes will then\r\ntry to find peers that can provide the required services:\r\nKey Purpose\r\nrequeBOHCHIY2XRMYXI0HCSZA C2\r\nproxybackendH0DHVADBCIKQ4S7YOX4X Proxy backend\r\nweb-api:kYVhV8KQ0mA0rs9pHXoWpD File distribution backend\r\nEach infected node will advertise the key\r\n“fmi4kYtTp9789G3sCRgMZVG7D3uKalwtCuWw1j8LSPHQEGVBU5hfbNdnHvt3kyR1fYUlGNAO0zactmIMIZodsOha9tnfe25X\r\nin order to inform that it is part of the botnet. The ID of each infected machine will be generated once during initial infection\r\nand will be reused if the machine restarts or the malware updates.\r\nInfected nodes will also advertise keys in the form “stfadv:\u003ccheksum\u003e” in order to notify that the node can provide a file\r\nwith that checksum.\r\nhttps://blog.barracuda.com/2020/10/01/threat-spotlight-new-interplanetary-storm-variant-iot/\r\nPage 3 of 6\n\nCommunication protocols\r\nLibp2p applications handle incoming connection (streams) based on a logical address (i.e. unknown to the transport layer)\r\ncalled protocol ID. By convention, protocol ids have a path-like structure, with a version number as the final component.\r\nThe following protocol IDs are being used by the malware:\r\nProtocol ID Purpose Notes\r\n/sbst/1.0.0\r\nUsed for spawning\r\nreverse shell\r\nHosted on nodes\r\n/sfst/1.0.0\r\nUsed for file\r\ntransfer\r\nHosted on nodes, file checksum is used for the integrity of the served file\r\n/sbpcp/1.0.0\r\nUsed for proxy,\r\nconnect to backend\r\nserve\r\nHosted on backend servers\r\n/sbptp/1.0.0\r\nUsed for proxy.\r\nForward proxy\r\nchannel\r\nHosted on nodes\r\n/sreque/1.0.0\r\nUsed for scanner\r\nqueue.\r\nHosted on nodes, commands from the c2 contain signature.\r\nMessages on this channel are serialized using JSON objects. Messages from the\r\nc2 will be for either “brute-ssh”or “tcp-scan”, directing the node to scan for\r\nvulnerable machines. The node will send be the results of these scans.\r\nThe “brute-ssh” messages from the c2 will include a list of Ips to attack along\r\nwith the credentials that should be used.\r\nFile distribution backend\r\nThe file distribution servers can be discovered using the “web-api:kYVhV8KQ0mA0rs9pHXoWpD” key. The relevant peers\r\nimplement http over the libp2p protocol and serve the following URLs:\r\nPath Method Description\r\n/version GET Get the peer version\r\n/files/checksum?f=\u003cfile name\u003e GET Get the current checksum of the file \u003cfile name\u003e\r\n/files/seedrs-http?c=\u003cchecksum\u003e GET Get a list of nodes capable of serving the file\r\nPOST /files/seedrs-http POST Add node info\r\n/nodes/ POST Add node info\r\nIOC\r\nThe malware might drop some of the following files:\r\nhttps://blog.barracuda.com/2020/10/01/threat-spotlight-new-interplanetary-storm-variant-iot/\r\nPage 4 of 6\n\nstorm_android-amd64 d4e3102b859ebfda5a276b2ce6f226e27fdcdef5e693ee7742be863236e2374a \r\nstorm_android-386 9dab7f5ff2873389a4b0e68cb84978fc5907cd2579bd15a1d39e277f5d2fdc27\r\nstorm_android-arm64 16bcb323bfb464f7b1fcfb7530ecb06948305d8de658868d9c3c3c31f63146d4\r\nstorm_android-arm7 56c08693fdf92648bf203f5ff11b10b9dcfedb7c0513b55b8e2c0f03b209ec98 \r\nstorm_linux-amd64 ab462d9d2a9a659489957f80d08ccb8a97bbc3c2744beab9574fda0f74bd1fe2 \r\nStorm_linux-386 ba1e8d25cc380fdbbf4b5878a31e5ed692cfd2523f00ca41022e61f76654dd4f\r\nstorm_linux-arm64 50406ec7fa22c78e9b14da4ccc127a899db21f7a23b1916ba432900716e0db3d\r\nstorm_linux-arm7 a2f4c9f8841d5c02ffd4573c5c91f7711c7f56717ddb981f719256163be986e8 \r\nstorm_darwin-amd64 4cd7c5ee322e55b1c1ae49f152629bfbdc2f395e9d8c57ce65dbb5d901f61ac1 \r\nHow to protect against these attacks\r\nThere are a few important steps you can take to protect against this malware variant.\r\nProperly configure SSH access on all devices. This means using keys instead of passwords, which will make access\r\nmore secure. When password login is enabled and the service itself is accessible, the malware can exploit the ill-configured attack surface. This is an issue common with routers and IoT devices, so they make easy targets for this\r\nmalware.\r\nUse a cloud security posture management tool to monitor SSH access control to eliminate any configuration\r\nmistakes, which can be catastrophic. To provide secured access to shells if needed; instead of exposing the resource\r\non the internet, deploy an MFA-enabled VPN connection and segment your networks for the specific needs instead of\r\ngranting access to broad IP networks.\r\nhttps://blog.barracuda.com/2020/10/01/threat-spotlight-new-interplanetary-storm-variant-iot/\r\nPage 5 of 6\n\nErez Turjeman is senior software engineer and a security researcher for Barracuda Labs.\r\nSource: https://blog.barracuda.com/2020/10/01/threat-spotlight-new-interplanetary-storm-variant-iot/\r\nhttps://blog.barracuda.com/2020/10/01/threat-spotlight-new-interplanetary-storm-variant-iot/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.barracuda.com/2020/10/01/threat-spotlight-new-interplanetary-storm-variant-iot/" ], "report_names": [ "threat-spotlight-new-interplanetary-storm-variant-iot" ], "threat_actors": [], "ts_created_at": 1775434287, "ts_updated_at": 1775791320, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/115aa5b5731b604fef673a0be0e97687f57800be.pdf", "text": "https://archive.orkl.eu/115aa5b5731b604fef673a0be0e97687f57800be.txt", "img": "https://archive.orkl.eu/115aa5b5731b604fef673a0be0e97687f57800be.jpg" } }