Abuse of IPFS to Host Malware and Phishing Kits on the Rise

Threat actors are increasingly abusing the InterPlanetary File System (IPFS) to host malware samples and phishing kits to evade detection from security products and increase their campaign resilience.

According to a report published today by Cisco Talos, there’s a steep rise in the number of malware detections concerning samples originating from IPFS gateways.

Given the current conditions in the security industry and the stance of organizations on the matter, this trend is expected to continue.

The IPFS Advantage

IPFS is a file-sharing protocol launched in 2015, offering a new solution for building decentralized peer-to-peer networks.

It replaces the idea of hosting data on a centrally located server with a system that relies on content addresses, nodes, mirrors, and a distributed hash table.

IPFS can host various types of files, including the resources required for rendering web pages. Contrary to BitTorrent, IPFS can serve as a complete solution for a single global network.

Because the content is hosted on a decentralized network, taking down malware or phishing sites is practically challenging, if not entirely impossible, in many cases.

This tactic ensures that malicious sites stay online for longer; thus, malware distribution and phishing campaigns are not interrupted.

Additionally, there’s the aspect of law enforcement, and the advantage of obfuscation offered by IPFS since untangling an intricate network of connections and mirrors to find the host of files isn’t straightforward.

Cisco also underlines that IPFS is generally used by legitimate service providers, so most of the activity taking place in IPFS networks is innocuous, helping threat actors bypass security checks more easily.

Abuse Examples

According to Cisco, IPFS is currently leveraged to host various phishing kits that threat actors can use to easily generate credential-stealing pages, host them on IPFS, and access the pilfers via a panel on a private address.

Abuse by malware actors is also widespread, with the most notable case concerning the Agent Tesla malware family, which is one of the most massively distributed RATs (remote access trojans) at the moment.

Cisco reports seeing IPFS gateways used for retrieving Agent Tesla to the victims’ systems within the context of a standard malspam infection chain.

“In another example, we observed a variety of malware payloads being uploaded to public sample repositories over a period of several months,” explains Cisco.

“In all three clusters, the initial payload functioned as a loader and operated similarly, however, the final payload hosted on the IPFS network was different in each cluster.”

The final payloads of these cases are reverse shell payloads, batch-based data wipers, and Python-based information stealers like the ‘Hannabi Grabber’.

In all of the cases Cisco’s analysts saw, the payload was fetched in base64 encoded form and broken into code blobs assembled on the victim’s computer.

An August 2022 report by Cisco also presented a fully-fledged “C2aaS” (command and control as a service) platform named ‘Dark Utilities‘, which leveraged IPFS for hosting the payloads, promising its “clients” ultimate resilience.

Threat Landscape Changing

Malware using IPFS isn’t a new thing, but Cisco reports the situation is now getting out of control as more threat actors realize the benefits outweigh the complexities that arise from maintaining content on a constantly shifting network.

At this time, IPFS isn’t getting the attention it deserves from defenders and security analysts, creating an opportunity for malicious actors to use the protocol to fly under the radar.

Cisco expects the abuse to continue and gradually grow in volume until additional detection and security layers are implemented to stop threats originating from IPFS networks.