threat actors behind DDoSia The attack tool has developed a new version that incorporates a new mechanism to get a list of targets to attack and bring down junk HTTP requests.
An updated variant, written in Golang, “implements an additional security mechanism to hide the list of targets. This mechanism [command-and-control] to users,” cybersecurity firm Sekoia said in a technical document.
DDoSia is believed to be the work of a pro-Russian hacker group called NoName(057)16. Launched in 2022 and the successor to the Bobik botnet, this attack tool is designed to conduct distributed denial of service (DDoS) attacks against targets primarily located in Europe, Australia, Canada, and Japan.
From May 8 to June 26, 2023, Lithuania, Ukraine, Poland, Italy, Czech Republic, Denmark, Latvia, France, United Kingdom, and Switzerland emerged as the most targeted countries. A total of 486 different websites were affected.
Python and Go-based implementations of DDoSia have been discovered to date, making it a cross-platform program that can be used across Windows, Linux, and macOS systems.
In an analysis published in January 2023, SentinelOne stated, “DDoSia is a multi-threaded application that performs denial-of-service attacks against target sites by repeatedly issuing network requests. I will issue a request according to the instructions in.” From the C2 server at boot time. “
DDoSia is distributed through a fully automated process on Telegram, allowing individuals to register for the crowdsourcing effort in exchange for a cryptocurrency payment and a ZIP archive containing the attack toolkit.
What’s notable about the new version is the use of encryption to hide the attack surface list. This indicates that this tool is actively maintained by the operator.
“NoName057(16) strives to make the malware compatible with multiple operating systems. This almost certainly reflects their intent to make the malware available to a large number of users. and, as a result, target a wider range of victims,” Sequoia said.
The development comes after the US Cybersecurity and Infrastructure Security Agency (CISA) warned of targeted denial of service (DoS) and DDoS attacks against multiple organizations in multiple sectors.
“These attacks can waste organizations time and money, and cause reputational damage while they cannot access resources and services,” the agency said in a bulletin.
CISA did not provide additional details, but the warning follows claims on Anonymous Sudan’s Telegram channel that it has shut down the websites of the Ministry of Commerce, the Social Security Administration (SSA) and the Ministry of Finance for the Electronic Federal Tax Payment System. overlaps with (EFTPS).
Anonymous Sudan made headlines last month for his Layer 7 DDoS attacks against various Microsoft services, including OneDrive, Outlook, and the Azure web portal. The tech giant tracks the cluster under the name Storm-1359.
The hacker group claimed to be conducting cyberattacks from Africa on behalf of oppressed Muslims around the world. But cybersecurity researchers believe this is a pro-Kremlin operation that has nothing to do with Sudan or members of the hacktivist group KillNet.
Australian cybersecurity vendor CyberCX characterized the organization as a “smokescreen for Russian interests” in an analysis released on June 19, 2023. The company’s website was then rendered inaccessible and visitors were shown a “403 Forbidden” message. The attacker has claimed responsibility for the cyberattack.
In a message posted on June 22, 2023, Anonymous Sudan said, “Reason for attack: Stop spreading rumors about us, tell the truth, stop the investigation we call the dog investigation. I have to,” he said.
Anonymous Sudan, in a Bloomberg report last week, further denied any ties to Russia, but admitted it shares similar interests and pursues “everything hostile to Islam.”
CISA’s latest recommendations have also attracted attention, with the group issuing a statement on June 30, 2023, stating, “A small group in Sudan with limited capabilities has attacked the world’s I forced the disclosure of.” “
