DDoSia Attack Tool Thrives on Encryption, Targets Multiple Sectors
The threat actor behind DDoSia the attack tool has come with a new version which incorporates a new mechanism to fetch a list of targets to be bombarded with garbage HTTP requests in an attempt to bring them down.
The updated variant, written in Golang, “applies an additional security mechanism to hide the target list, which is transmitted from (command-and-control) to the user,” cybersecurity firm Sekoia said in technical writing.
DDoSia is associated with a pro-Russian hacker group named Anonymous(057)16. Launched in 2022 and is the successor of The Bobik botnetthe means of attack is designed to conduct distributed denial-of-service (DDoS) attacks against targets primarily located in Europe as well as Australia, Canada, and Japan.
Lithuania, Ukraine, Poland, Italy, Czech, Denmark, Latvia, France, United Kingdom and Switzerland have emerged as the most targeted countries during the period from 8 May to 26 June 2023. A total of 486 different sites were affected.
Python and Go-based implementations of DDoSia have been found to date, making it a cross-platform program that can be used on Windows, Linux, and macOS systems.
“DDoSia is a multi-threaded application that performs a denial-of-service attack against a target site by repeatedly issuing network requests,” SentinelOne explained in an analysis published in January 2023. “DDoSia issues requests as instructed by configuration files that the malware receives from C2 servers on startup.”
DDoSia is distributed through a fully automated process on Telegram that allows individuals to register crowdsourced initiatives in exchange for cryptocurrency payments and ZIP archives containing attack toolkits.
What is noteworthy about this new version is the use of encryption to mask the list of targets to be attacked, indicating that this tool is actively maintained by the operator.
“NoName057(16) strives to make their malware compatible with multiple operating systems, almost certainly reflecting their intent to make their malware available to a large number of users, resulting in a broader targeting of victims,” Sekoia said.
This development comes as the US Cyber Security and Infrastructure Agency (CISA) warns about targeted denial-of-service (DoS) and DDoS attacks against multiple organizations across a wide range of sectors.
“These attacks can cost an organization time and money and can impose a reputational cost while rendering resources and services inaccessible,” the agency said. said in a newsletter.
Although CISA did not provide any additional details, the warning overlaps with claims by Anonymous Sudan on his Telegram channel that the websites of the Department of Commerce, the Social Security Administration (SSA), and the Treasury Department’s Electronic Federal Tax Payment System (EFTPS) had been shut down.
Anonymous Sudan attracted attention last month for carrying out Layer 7 DDoS attacks against various Microsoft services, including OneDrive, Outlook, and the Azure web portal. The tech giant is tracking the cluster under the name Storm-1359.
The hacker crew has confirmed that they are carrying out cyber attacks from Africa on behalf of oppressed Muslims around the world. But cybersecurity researchers believe it was a pro-Kremlin operation with no ties to Sudan and a member of the KillNet hacking group.
In analysis released on June 19, 2023, Australian cybersecurity vendor CyberCX characterized entity as a “smokescreen for the interests of Russia.” The company’s website has since become inaccessible, greeting visitors with a “403 Forbidden” message. The threat actor claimed responsibility for the cyber attack.
“Reason for the attack: stop spreading rumors about us, and you should tell the truth and stop the investigations we call dog investigations,” Anonymous Sudan said in a message posted on June 22, 2023.
Sudan Anonymous, in a Bloomberg report last week, further denied it was connected to Russia but admitted they share common interests, and it pursues “everything that is hostile to Islam.”
CISA’s latest adviser also did not go unnoticed, as the group posted a response on June 30, 2023, which stated: “A small Sudanese group with limited capabilities forces the world’s ‘most powerful government’ to publish articles and tweet about our attack.”
