The DDoS-as-a-Service market has found new malware to overwhelm networks with excessive traffic: MDBotnet for DDoS attacks, as dubbed by researchers.
MDBotnet for DDoS Attacks was discovered on a cybercrime forum, which is suspected to have been made by Russian hacktivists.
Sold for 2,500₽ (Russian Rubles) a lifetime, the MDBotnet for DDoS attacks was advertised on the dark web and was traced by the Cyble Research and Intelligence Labs (CRIL).
Details of the MDBotnet for DDoS attacks
The advertisement titled, “Powerful DDoS on your competitor’s website/ server | Botnet access,” sold the MDBotnet for DDoS attacks with free test trial attacks.
Buyers of the MDBotnet were given to test the malware for 5 to 10 minutes to check the accuracy of the requests’ impact on the targeted server.
The sellers claimed to be always online with their services and offered refunds in case of force majeure which is a common clause in contracts that frees both sides of the trade in case of unforeseen events.
They also offered round-the-clock monitoring of the target likely to gauge the damage caused to the target using the MDBotnet for DDoS attacks.
The seller also claimed that the DDoS-as-a-Service could attack WEB (clearnet), VPS/ VDS, IP-TV, TCP/ UDP Applications.
MDBotnet for DDoS attacks: Technical details
The executable was named SlavaRussia.exe and it could launch an HTTP/ SYN flood attack. SYN flood attack or TCP SYN flood exploits a common vulnerability in the TCP/ IP handshake.
Such attacks prevent connecting with legitimate network traffic and are capable of impacting high-capacity devices that can take millions of connections.
- The sample hash investigated by CRIL researchers was – (SHA256), ae582545c3196afa5ac6419db9d57b11633e8282f29e3cd48fe31b9dd250a963
It was a GUI-based 32-bit executable in .NET compiler.
- The MDBotnet for DDoS attacks performed the following functions:
- Connect to a TCP socket connection to a server with the IP address (212[.]109[.]199[.]128) and port number (4202)
- Retrieve the path of the %appdata% folder for a specific file named exe. In the absence of the file in the directory, the MDBotnet would send a GetUpdater message from the Update class Update.GetUpdater to download Updater.exe to download the latest version of the executable (svhost.exe).
- exe gets executed leading to the download of svhost.exe which is dropped in the %appdata% directory.
- To maintain persistence on the target’s system, the MDBotnet for DDoS attacks creates a registry key so the svhost.exe runs automatically at startup.
The MDBotnet for DDoS attacks takes the HTTPGetAttack command to send repetitive HTTP GET requests to the targeted website.
Attacks from the MDBotnet can not only halt the website but also lead to a system crash depending upon the traffic and the targeted system capabilities.
“It’s worth noting that in the analyzed sample, the utilization of the SYNAttack class may have been disabled during the creation of the executable binary,” CRIL researchers noted in the Cyble blog.
The code was also found to sleep for 2000 milliseconds or 2 seconds using the Threat.Sleep method following which it connects to the hacker’s C2 server.
“Currently, the TAs responsible for MDBotnet are actively involved but with limited functionalities,” CRIL researchers noted.
“Although the code for the SYN flood attack is present in the malware, it remains inactive, indicating that the malware is still in development,” the blog concluded.
Maintaining security against DDoS attacks requires constantly updating software with patches released because malware attacks thrive on vulnerable software.
Failing in attacks that depend on human error including phishing emails and brute force attacks to gain access, cybercriminals look for flaws in firmware, hardware and software.
Cyble recently noted that CVE-2023-25717 was actively exploited with the AndoryuBot, which is a new Botnet sold on Telegram for DDoS attacks.
