The DDoS-as-a-Service market has found new malware to overwhelm networks with excessive traffic: MDBotnet for DDoS attacks, as dubbed by researchers.
MDBotnet for DDoS Attacks was discovered on a cybercrime forum, which is suspected to have been made by Russian hacktivists.
Sold for 2,500₽ (Russian Rubles) a lifetime, the MDBotnet for DDoS attacks was advertised on the dark web and was traced by the Cyble Research and Intelligence Labs (CRIL).
The advertisement titled, “Powerful DDoS on your competitor’s website/ server | Botnet access,” sold the MDBotnet for DDoS attacks with free test trial attacks.
Buyers of the MDBotnet were given to test the malware for 5 to 10 minutes to check the accuracy of the requests’ impact on the targeted server.
The sellers claimed to be always online with their services and offered refunds in case of force majeure which is a common clause in contracts that frees both sides of the trade in case of unforeseen events.
They also offered round-the-clock monitoring of the target likely to gauge the damage caused to the target using the MDBotnet for DDoS attacks.
The seller also claimed that the DDoS-as-a-Service could attack WEB (clearnet), VPS/ VDS, IP-TV, TCP/ UDP Applications.
The executable was named SlavaRussia.exe and it could launch an HTTP/ SYN flood attack. SYN flood attack or TCP SYN flood exploits a common vulnerability in the TCP/ IP handshake.
Such attacks prevent connecting with legitimate network traffic and are capable of impacting high-capacity devices that can take millions of connections.
It was a GUI-based 32-bit executable in .NET compiler.
The MDBotnet for DDoS attacks takes the HTTPGetAttack command to send repetitive HTTP GET requests to the targeted website.
Attacks from the MDBotnet can not only halt the website but also lead to a system crash depending upon the traffic and the targeted system capabilities.
“It’s worth noting that in the analyzed sample, the utilization of the SYNAttack class may have been disabled during the creation of the executable binary,” CRIL researchers noted in the Cyble blog.
The code was also found to sleep for 2000 milliseconds or 2 seconds using the Threat.Sleep method following which it connects to the hacker’s C2 server.
“Currently, the TAs responsible for MDBotnet are actively involved but with limited functionalities,” CRIL researchers noted.
“Although the code for the SYN flood attack is present in the malware, it remains inactive, indicating that the malware is still in development,” the blog concluded.
Maintaining security against DDoS attacks requires constantly updating software with patches released because malware attacks thrive on vulnerable software.
Failing in attacks that depend on human error including phishing emails and brute force attacks to gain access, cybercriminals look for flaws in firmware, hardware and software.
Cyble recently noted that CVE-2023-25717 was actively exploited with the AndoryuBot, which is a new Botnet sold on Telegram for DDoS attacks.
This weekly roundup highlights top cybersecurity news: Hasbro attack, AI supply chain breaches, and rising ransomware threats worldwide.
PXA Stealer, deployed by Vietnam-linked actors, hijacks LinkedIn accounts and exfiltrates credentials, crypto wallets, and sensitive data worldwide.
The data security risks of foreign-developed mobile apps are not limited to what users see on the surface.
AVrecon spreads by scanning the internet for devices with exposed vulnerable services.
What stands out in this case is that even access involving politically exposed and high-profile individuals did not trigger alerts.
Hasbro cyberattack confirmed on March 28, taking systems offline and launching an investigation with third-party cybersecurity experts.
This website uses cookies. By continuing to use this website you are giving consent to cookies being used.
Read More