Researchers have discovered a new version of the Fodcha DDoS botnet, featuring upgrades to deter analysis by security researchers and the ability to inject ransom demands into packets.
Fodecha DDOS Botnet
Fodcha first came to light earlier this April, with the malware propagating through known vulnerabilities in Android and IoT devices as well as weak Telnet or SSH passwords.
The botnet achieved a new peak on Oct. 11, 2022, in which it attacked 1,396 targets, and currently has a global reach with targets infected in Brazil, Canada, Japan and Australia.
According to researchers, operators are now also able to embed ransom demands in the Data portion of Fodchas DDoS packets, informing victims that they seek payment of 10 XMR or Monero worth around $1,500 in exchange for stopping the attacks.
There have been changes made to the protocol used for communication between Fodcha and the users in the newly released version. At the file and traffic level, in an attempt to evade detection, the developers behind this botnet used two key algorithms to encrypt the sensitive resources and network communication.
Two key algorithms used by the threat actors for encryption:-
- xxtea algorithm
- chacha20 algorithm
While as the primary choice C2, the developers presented the “OpenNIC domain name,” and as a dual C2 solution for backup C2 they presented the “ICANN domain name.”
Moreover, extortion is also included in this version where a Monero ransom is demanded in order to stop the attacks from going forward.
The threat actors demand Monero because it is a privacy coin, which means that the transaction can not be traced much more easily. In consequence, XMR is commonly requested as a payment method by ransomware gangs and other threat actors.
Sample IOCS for Fodcha
0e3ff1a19fcd087138ec85d5dba59715
1b637faa5e424966393928cd6df31849
208e72261e10672caa60070c770644ba
2251cf2ed00229c8804fc91868b3c1cb
2a02e6502db381fa4d4aeb356633af73
2ed0c36ebbeddb65015d01e6244a2846
2fe2deeb66e1a08ea18dab520988d9e4
37adb95cbe4875a9f072ff7f2ee4d4ae
3fc8ae41752c7715f7550dabda0eb3ba
40f53c47d360c1c773338ef5c42332f8
4635112e2dfe5068a4fe1ebb1c5c8771
525670acfd097fa0762262d9298c3b3b
54e4334baa01289fa4ee966a806ef7f1
5567bebd550f26f0a6df17b95507ca6d
5bdb128072c02f52153eaeea6899a5b1
6244e9da30a69997cf2e61d8391976d9
65dd4b23518cba77caab3e8170af8001
6788598e9c37d79fd02b7c570141ddcf
760b2c21c40e33599b0a10cf0958cfd4
792fdd3b9f0360b2bbee5864845c324c
7a6ebf1567de7e432f09f53ad14d7bc5
9413d6d7b875f071314e8acae2f7e390
954879959743a7c63784d1204efc7ed3
977b4f1a153e7943c4db6e5a3bf40345
9defda7768d2d806b06775c5768428c4
9dfa80650f974dffe2bda3ff8495b394
a996e86b511037713a1be09ee7af7490
b11d8e45f7888ce85a67f98ed7f2cd89
b1776a09d5490702c12d85ab6c6186cd
b774ad07f0384c61f96a7897e87f96c0
c99db0e8c3ecab4dd7f13f3946374720
c9cbf28561272c705c5a6b44897757ca
cbdb65e4765fbd7bcae93b393698724c
d9c240dbed6dfc584a20246e8a79bdae
e372e5ca89dbb7b5c1f9f58fe68a8fc7
ebf81131188e3454fe066380fa469d22
fe58b08ea78f3e6b1f59e5fe40447b11
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment