Researchers have discovered a new version of the Fodcha DDoS botnet, featuring upgrades to deter analysis by security researchers and the ability to inject ransom demands into packets.
Fodecha DDOS Botnet
Fodcha first came to light earlier this April, with the malware propagating through known vulnerabilities in Android and IoT devices as well as weak Telnet or SSH passwords.
The botnet achieved a new peak on Oct. 11, 2022, in which it attacked 1,396 targets, and currently has a global reach with targets infected in Brazil, Canada, Japan and Australia.
According to researchers, operators are now also able to embed ransom demands in the Data portion of Fodchas DDoS packets, informing victims that they seek payment of 10 XMR or Monero worth around $1,500 in exchange for stopping the attacks.
There have been changes made to the protocol used for communication between Fodcha and the users in the newly released version. At the file and traffic level, in an attempt to evade detection, the developers behind this botnet used two key algorithms to encrypt the sensitive resources and network communication.
Two key algorithms used by the threat actors for encryption:-
- xxtea algorithm
- chacha20 algorithm
While as the primary choice C2, the developers presented the “OpenNIC domain name,” and as a dual C2 solution for backup C2 they presented the “ICANN domain name.”
Moreover, extortion is also included in this version where a Monero ransom is demanded in order to stop the attacks from going forward.
The threat actors demand Monero because it is a privacy coin, which means that the transaction can not be traced much more easily. In consequence, XMR is commonly requested as a payment method by ransomware gangs and other threat actors.
Sample IOCS for Fodcha