A new variant of the InterPlanetary Storm malware has infected roughly 13,500 machines across no less than 84 different countries and counting. That is the core message emanating from e-mail security business Barracuda Networks in its latest Threat Spotlight research.
The malware was initially uncovered in May 2019 as a malicious attack designed to target Windows machines. This new variant, which Barracuda researchers first detected in late August, is now also targeting Internet of Things (IoT) devices, such as TVs that run on Android operating systems, and also Linux-based machines.
Essentially, this new variant gains access to machines by running a dictionary attack against SSH servers similar to FritzFrog, another peer-to-peer malware. It can also gain entry by accessing open Android Debug Bridge (ADB) servers. The malware detects the CPU architecture and running OS of its victims. It can run on ARM-based machines, an architecture that is quite common with routers and other IoT devices.
While the function of this malware is not yet known, it’s likely that campaign operators will be able to gain access to infected devices so they can later be used for cryptomining, DDoS or other large-scale attacks.
Including the UK, some of the 84 countries which have so far reported cases of the InterPlanetary Storm malware include Argentina, Australia, Belgium, Brazil, Canada, France, Germany, India, Spain and the United States.
The malware spreads using SSH brute force and open ADB ports, duly serving malware files to other nodes in the network. The malware also enables reverse shell and can run bash shell.
Fleming Shi, CTO at Barracuda Networks, commented: “This new variant of malware is extremely infectious and malicious, and it’s very likely that it will spread beyond the 84 countries which have already been impacted. Moving forward, it’s essential that tech users properly configure Secure Shell access on all devices. This means using keys instead of passwords, which will make access more secure.”
In conclusion, Shi stated: “Furthermore, deploying a multi-factor authentication enabled VPN connection to a segmented network, instead of granting access to broad IP networks, is absolutely vital, particularly so if users wish to share access to secure shells without exposing the resource on the Internet.”