Multiple Cyber Attacks Exploit IPFS Decentralized Network

The rise of the InterPlanetary Filesystem (IPFS) has been both beneficial and problematic, particularly as it has surfaced as a platform leveraged by cybercriminals for various malicious activities. According to a recent analysis from Cisco Talos researcher Edmund Brumaghin, numerous phishing campaigns are exploiting IPFS to host malware, phishing kits, and to enable other forms of cyberattacks.

Brumaghin’s findings indicate that multiple malware families are currently being stored on IPFS, which are accessed during the initial phases of these attacks. This aligns closely with earlier research by Trustwave SpiderLabs, which in July 2022 reported that over 3,000 emails containing IPFS phishing URLs were used as vectors for attacks. The report described IPFS as a burgeoning “hotbed” for phishing activity.

The decentralized architecture of IPFS presents a unique challenge in combating such abuses. It utilizes a peer-to-peer (P2P) network that replicates content across participating nodes, meaning that even if malicious files are removed from one source, they can still be retrieved from others. This inherent resilience against censorship and take-down efforts has attracted cybercriminals aiming to establish robust and persistent infrastructure that evades law enforcement.

Brumaghin noted that diverse threat actors are currently utilizing IPFS to host harmful content, further complicating efforts to combat phishing and malware distribution. Prominent among these is the Dark Utilities command-and-control framework, which facilitates remote access, DDoS attacks, and cryptocurrency mining, with payload binaries being delivered through IPFS.

Additionally, IPFS is being leveraged to serve counterfeit landing pages as part of phishing schemes designed to harvest user credentials and distribute a spectrum of malware types. This includes sophisticated threats like Agent Tesla, reverse shells, destructive data wipers, and the information-stealing malware known as Hannabi Grabber.

An illustrative case outlined by Talos involved a malicious email disguised as correspondence from a Turkish financial institution. The email encouraged the recipient to execute a ZIP file attachment, which acted as a downloader for an obfuscated version of Agent Tesla stored on IPFS.

The destructive capacity of certain malware manifests through batch files capable of deleting backups and recursively purging directory contents. Hannabi Grabber, a Python-based variant, is engineered to collect sensitive data from infected systems, including browser information and screenshots, which it transmits via Discord webhooks.

This alarming trend underscores a notable escalation in the use of legitimate services like Discord, Slack, and Google Drive by attackers to distribute malicious content or redirect unsuspecting users. Such tactics not only enhance the effectiveness of phishing campaigns but also pose significant difficulties for organizations attempting to implement effective detection and defense mechanisms.

Brumaghin fully anticipates that this trend will continue to grow, as more cybercriminals become aware of IPFS’s potential for bulletproof hosting. This makes it especially challenging for organizations striving to mitigate threats that may utilize the uniquely resilient properties that IPFS offers.