Threat actors are leveraging InterPlanetary File System (IPFS), an emerging distributed file storage protocol that enables computers to store and serve files as part of a peer-to-peer network, in order to host payloads for a Python-based information stealer called Hannabi Grabber.
Overall, researchers with Cisco Talos in a Wednesday analysis said that they are seeing increasingly widespread abuse of IPFS by threat actors to host phishing kit infrastructure and malware payloads. The technology has been developed to enable the decentralized storage of resources across the internet, such as tools used to render web pages or files that can be accessed by internet users.
However, researchers with Cisco Talos said that this legitimate use also makes it harder for security teams to sniff out malicious IPFS activity. This has been a driving factor behind a growing volume of malware samples – including Hannabi Grabber and Agent Tesla – in attacks this year that leverage IPFS.
“Over the past few years, Talos has observed an increase in the number of cybercriminals taking advantage of technologies like the InterPlanetary File System (IPFS) to facilitate the hosting of malicious content as they provide the equivalent of ‘bulletproof hosting’ and are extremely resilient to attempts to moderate the content stored there,” said Edmund Brumaghin, threat researcher with Cisco Talos, in a Wednesday analysis.
Resources stored within IPFS can be accessed using an IPFS client or by building an IPFS “gateway” using publicly available tools. Any computer can download the IPFS software in order to start hosting and serving files, and because of this ease of use, coupled with challenges around the moderation of IPFS hosted content, IPFS is lucrative for attackers, said researchers.
“Unlike traditional web hosting technologies where specific companies are responsible for moderating content stored on their platform(s), IPFS is decentralized,” said Brumaghin. “There is no entity that can modify/remove that content. Content stored within the IPFS network is synchronized across multiple systems participating in the network such that if a system exists on the network with a copy of the content, the content will be accessible.”