It has now been six months since the war in Ukraine began. Since then, pro-Russian and pro-Ukrainian hacker groups, like KillNet, Anonymous, IT Army of Ukraine, Legion Spetsnaz RF, have carried out cyberattacks. A lesser-known group called NoName057(16) is among the pro-Russian groups attacking Ukraine and the countries surrounding it and siding with Ukraine.

NoName057(16) is performing DDoS attacks on websites belonging to governments, news agencies, armies, suppliers, telecommunications companies, transportation authorities, financial institutions, and more in Ukraine and neighboring countries supporting Ukraine, like Ukraine itself, Estonia, Lithuania, Norway, and Poland. A full list of the group’s targets can be found at the end of this post. 

To carry out DDoS attacks, hacker groups utilize botnets. They control them via C&C servers, sending commands to individual bots, which essentially act as soldiers. Uncovering and tracking botnets is complex and time-consuming.

We got our hands on malware called Bobik. Bobik is not new, it’s been around since 2020, and is known as a Remote Access Trojan. Things have, however, recently changed. Devices infected with Bobik are now part of a botnet, and carrying out DDoS attacks for NoName057(16). We can confidently attribute the attacks to the group, as we have analyzed and compared what the C&C server is instructing devices infected with Bobik to do with the attacks the group claims to be responsible for on their Telegram channel.

Toolset

The bots used by the botnet are infected with malware called Bobik, which is written in .NET. The malware has not been tied to a certain group in the past, and is actually a Remote Access Trojan. Its spyware functionalities include keylogging, running and terminating processes, collecting system information, downloading/uploading files, and dropping further malware onto infected devices.

Kill Chain

In the wild, one of the most monitored droppers for Bobik is RedLine Stealer, a botnet-as-a-service cybercriminals can pay for to spread their malware of choice. The usual workflow of Bobik is illustrated in the image below.

At first, an unknown group seems to have purchased RedLine Stealer to deploy – Bobik. The final DDoS module deployment is composed of two basic stages. The first executes Bobik’s Updater via a RedLine Stealer bot. In the second stage, Bobik’s Updater extracts and drops the final DDoS module (Bobik’s RuntimeBroker) and ensures the module’s persistence.

When RuntimeBroker is run, the module contacts a C&C server and downloads a configuration file defining targets for DDoS attacks. The module then starts the attacks using a defined count of threads, usually five threads.

The detailed workflow of the Bobik deployment is shown below. The RedLine Stealer Cryptic (installer) deobfuscates the .NET payload of Bobik’s Updater and injects it into the newly created process of the .NET ClickOnce Launch Utility (AppLaunch.exe); see steps 1 – 5.

The same process is used to execute Bobik’s RuntimeBroker (the DDoS module), because the dropped RuntimeBroker is also packaged and obfuscated via RedLine Stealer Cryptic. Therefore, the dropped Bobik’s RuntimeBroker also deobfuscates the .NET payload of Bobik’s RuntimeBroker and injects it into another AppLaunch process; see steps 6 – 8. After all these steps, the Bobik’s DDoS module is deployed, persistent, and ready to attack.

C&C Servers and Communication

Since June 1, 2022, we have observed Bobik’s network activities. Bobik bots communicate with C&C servers located in Russia and Romania. These two servers are already offline. However, another Romanian server is still active and able to send commands to the bots.

C&C Servers

Since tracking the botnet activity, we have captured three production C&C servers controlling Bobik bots and one development server. The servers run on OS Ubuntu with Nginx (v 1.18.0). RiskIQ reports all servers as malicious with self-signed certificates and servers with bad reputations that previously hosted many suspicious services.

Server 1 

The last active server is 2.57.122.243, located in Romania, and its first Bobik’s activity we saw was on June 13, 2022. We also have two DNS records for this malicious server:
v9agm8uwtjmz.sytes.net and q7zemy6zc7ptaeks.servehttp.com.

Server 2

The second server 2.57.122.82 is also in Romania, but the communication with the Bobik bots was deactivated around July 14, 2022. The server is still active. Nevertheless, the server responds with a 502 HTTP code (Bad Gateway).  Based on the findings from Server 1, this server used the same v9agm8uwtjmz.sytes.net DNS record, which was reconfigured to Server 1 in the middle of June.

Server 3

The first Bobik’s C&C server we saw was 77.232.41.206 in Russia. The server had opened ports 80 and 443 until June 9, 2022. It is not usable, and therefore de facto offline, by Bobik bots because there is only one opened port for OpenSSH since Bobik requires port 80 for its C&C communication.

Dev Server

One of the C&C servers is a suspected  development server at 109.107.181.130, listening on port 5001. The server has been active since April and is located in Russia; its reputation is also suspicious. Avast has not detected any hits for this server in the wild. However, one Python sample uses the server as a testing environment.

C&C Communication

The communication between Bobik bots and the C&C servers is mediated using a simple unsecured HTTP request and response via the Nginx web server. The bots obtain appropriate commands from the C&Cs utilizing a URL, see the diagram below.

Request

The request URL uses the following template:
http://[ip]/[request]/update?id=[sha256]&v=[version]&pr=[flag]

ip: Bobik bots hardcode one of the C&C IPs or one of the DNS records, see Section C&C Servers.
request: defines the purpose of the communications; we registered three types of requests in the form of a GUID.
– notice: the bots report their states.
– admin: this request can open the admin console of the Nginx web server.
– dropper: is a path to a malicious executable representing Bobik’s RuntimeBroker followed by an exe file name.
The exact GUIDs are listed in Appendix.
id: the hash is computed from Windows Management Instrumentation (WMI) information about a victim’s machine like Win32_DiskDrive, Win32_Processor, Win32_BaseBoard, etc. The hash can provide a unique identifier for Bobik bots.
v: the Bobik version; Avast has captured sample versions ranging from 8 to 19.
pr: is a flag (0,1) representing whether the communication with C&C has timed out at least once. 

A body of the HTTP request contains one simple XML tag with information about the victim; for instance:
<client a0="1" a1="en-US" a2="en-US" a3="14:03:53" a4="600">; where

• a0: ProductType (1: Workstation, 2: Domain Controller, 3: Server)
• a1: CultureInfo.InstalledUICulture
• a2: CultureInfo.CurrentUICulture
• a3: DateTime.Now
• a4: Default timeout for the update of the DDoS target list from the C&C server

See the examples of the notice URLs:

• http://2.57.122.82/d380f816-7412-400a-9b64-78e35dd51f6e/update?id=AEF97F87751C863548359181B65B60EE86A7D44724040229CDE4622C99AB0B59&v=17&pr=1
• http://2.57.122.82/d380f816-7412-400a-9b64-78e35dd51f6e/update?id=67F5318073F09F03E762BF727015384589F00282EA26B1798C10581B8DC27F52&v=16&pr=1
• http://v9agm8uwtjmz.sytes.net/d380f816-7412-400a-9b64-78e35dd51f6e/update?id=B5B72AEBEC4E2E9EE0DAC37AC77EBFB679B6EC6D7EE030062ED9064282F404A7&v=18&pr=1
• http://q7zemy6zc7ptaeks.servehttp.com/d380f816-7412-400a-9b64-78e35dd51f6e/update?id=BADFD914A37A1FF9D2CBE8C0DBD4C30A9A183E5DF85FCAE4C67851369C2BAF87&v=18&pr=1

Response

The body of the HTTP response contains an encrypted and gzipped XML file configuring bots to the defined DDoS attacks. See the example below:

The bot receives the encrypted data that is decrypted using a simple algorithm, as shown below. The full script is located in the IOC repository.

The encrypted XML file has an elementary structure, as shown below:

Most of the XML attributes are intuitive, so we will just explain the compound brackets in the path and body attributes. The configuration often uses dynamically generated pieces (definitions) like this: {.,15,20}. The definition dictates what long random text should be generated and in which position.

The definitions are abundantly applied in the path or body of the HTTP requests, where the attackers expect an increased load on the server. The effect is that bots flood servers with meaningless requests. For instance, the first <task> in the image directly above (decrypted XML config) uses this definition: query={.,15,20} which means that the bots generate random texts of 15 – 20 characters long as requests to, for example, the calendar of Poland’s presidential office. Similarly, the second <task> flooded the reference system of bus lines in Ukraine with requests for a password reset, as illustrated in this definition email={.,5,15}%40gmail.com.

For the most part, we captured definitions sending data to login pages, password recovery sites, and site searches; as can be seen from the XML config snippet below:

• Login data
  <task
host="identity.tele2.lt"
path="/Account/Login"
body="SkipAutoLogin=False&amp;Username={.,15,20}%40gmail.com&amp;Password={.,15,20}&amp"
/>
• Search requests
  <task
host="www.delfi.ee"
path="/otsing?search={.,3,12}&amp;domain=kinoveeb.delfi.ee&amp;categoryId&amp;order=PUBLISH_AT&amp;from=2012-08-22T{d,2,2}%3A{d,2,2}%3A{d,2,2}Z&amp;to=2022-08-22T20%3A59%3A59Z"
/>
• Password recovery request
  <task
host="client.smscredit.lv"
path="/password-recovery"
body="utf8=%E2%9C%93&amp;authenticity_token={.87,87}A%3D%3D&amp;user%5Bemail%5D={.,15,20}%40gmail.com&amp;g-recaptcha-response=03ANYolqu{.,539,539}"
/>

Consequently, the attackers try to overload a server with these requests, as they are computationally intensive. The requests require many accesses to server databases, e.g., verifying emails for password resetting, trying to login with random data (definitions), etc.

Bobik Botnet

The Avast telemetry data cannot paint a precise picture of the botnet’s size, but we can estimate the approximate representation of Bobik in the wild, see map below. The map shows where, according to Avast’s telemetry, the bots that attempt to carry out DDoS attacks for NoName057(16) are located. Avast has protected these devices from Bobik or from connecting to the C&C server. Most of the bots are located in Brazil, India, and Southeast Asia.

According to our data, the number of Bobik bots is a few hundred. However, the total number must be much larger considering the DDoS attacks’ acute effectiveness and frequency. We, therefore, estimate there are thousands of Bobik bots in the wild.

Selection of DDoS Targets

We estimated a procedure as to how the attackers determine which web servers to DDoS attack because we have configurations of unsuccessful attacks.

The first step is looking for a target that supports Ukraine or a target with anti-Russian views. The attackers analyze the structure of the target’s  website and identify pages that can cause server overloading, especially requests requiring higher computing time, such as searching, password resetting, login, etc.

The second step is filling in the XML template, encrypting it, and deploying it to the C&C servers. The attackers monitor the condition of the target server and modify the XML configuration based on needs (modification of URL parameters, bodies, etc.) to be more effective. The configuration is changed approximately three times per day.

Suppose the configuration is successful and a targeted server is in trouble. In that case, the configuration is fixed until the web server crashes or a server admins implement anti-DDoS technique or firewall rules based on GeoIP.

If the attack is unsuccessful, a new target is selected, and the whole procedure of selection is repeated.

Targets

In the first phase, the attackers targeted Ukrainian news servers they defined as being against the war in Ukraine. Then, the attacks targeted websites belonging to Ukrainian cities, local governments, distribution of electrical power, Ukrainian companies supplying the Ukraine army with weapons, railway, bus, companies, and postal offices. 

The second phase targeted organizations publicly supporting Ukraine financially or materially, like Ukraine banks and financial institutions, and operators of local Ukraine gas reservoirs that publicly declared help for the defenders of Ukraine.

As the political situation around the war changed, so did the targets of the DDoS attacks. Bobik performed DDoS attacks on GKN Aerospace, which is the supplier of the Northrop Grumman Corporation because the US Defense Department convened a meeting with America’s eight prime defense contractors (including Northrop Grumman Corporation) to ensure long-term readiness to meet “Ukraine’s weapons needs”. 

Another global company under attack was Group 4 Securitas (G4S), which published a document assessing and exploring key elements of the conflict in Ukraine. In terms of telecommunications companies, we observed an attack on American telco company Verizon, which declared a waiver of call charges to and from Ukraine. And so, we could continue listing companies that were under Bobik attacks due to their support for Ukraine. You can see a few screenshots from affected websites below.

Other attacks were more politically motivated based on government declarations of a given country. Baltic states (Lithuania, Latvia, and Estonia) were the significant targets, outside Ukraine, of DDoS attacks carried out by the group. Let’s summarize targets outside of Ukraine, chronologically, since we started monitoring Bobik.

• June 7, 2022: Significant DDoS attack on Estonia central bank; see Twitter.
• June 18, 2022: Bobik configuration changed to target Lithuanian transportation companies, local railway, and bus transportation companies after Lithuanian authorities announced a ban on transit through their territory to the Russian exclave of Kaliningrad of goods that are subject to EU sanctions. The attackers also targeted financial sectors in Lithuania, like UAB General Financing, Unija Litas, and more.
• July 1, 2022: Goods were stopped by Norwegian authorities destined for the roughly 400 miners in the town of Barentsburg employed by the Russian state coal mining company Arktikugol. NoName057(16)’s DDoS attacks focused on Norwegian websites as retaliation for the blockade. The main targets were transportation companies (Kystverket, Helitrans, Boreal), the Norwegian postal service (Posten), and financial institutions (Sbanken, Gjensidige).
• July 7, 2022: There were not any specific acts by Poland that caused the group to specifically target Polish sites. However, Poland has supported Ukraine from the beginning of the Ukraine conflict, and therefore sites in the country became targets. The first wave of DDoS attacks on Polish sites was aimed at government websites like the Polish Cyberspace Resource Center, Polish 56th Air Base, Military Recruitment Center in Chorzów, and more.
• July 9, 2022: Bobik was reconfigured back to target Lithuanian websites, focusing on energy companies (Ignitis Group, KN), transportation companies (Ingstad & Co, Asstra-Vilnius), and banks (Turto Bankas, Šiaulių Bankas, Swedbank, SEB, Kredito unija Litas).
• July 25, 2022: Polish sites were targeted again, this time  the Polish government and airports were attacked. We observed a DDoS configuration including the Polish Sejm, Presidential Office, Ministry of National Defense, Poznań Airport, Szczecin Goleniów Airport, Gdansk Airport, Kraków Airport, and more.
• August 5, 2022: Polish regional and district courts were targeted.
• August 9, 2022: When Finland announced their intention to join NATO, the Bobik configuration was reconfigured to target Finnish government institutions, like the  Parliament of Finland (Eduskunta), State Council, Finnish police, and more.
• August 14, 2022: Latvian financial sector (Latvian Payment Services and Electronic Money, Luminor Interneto bankas) was attacked.
• August 16, 2022: The second wave of attacks on the Polish justice system began. We monitored a configuration with specific district courts in Krakow, Olsztyn, Warszawa, Poznan.
• August 23, 2022: Estonia’s largest news portal, Delfi, was under DDoS attack because it published Russophobic content.
• August 26, 2022: The group targeted another Estonian company, Tallink Grupp, a company providing transport services in the northern Baltic Sea region, including air transport. Tallink’s airports, such as Kärdla, Tartu, and Pärnu were targeted.
• August 27, 2022: Lithuania’s ministries of National Defense, Culture, Education, Science and Sports, and Public Procurement Offices were targeted, along with the airports and transport companies.
• August 29, 2022: Ukrainian banks were under DDoSed by the group after a long break. We observed Acordbank, Trust capital, JSC Poltava-Bank, and Pravex Bank under attack.
• September 1 and 2, 2022: Ukrainian schools were under attack at the beginning of the new school year. Fortunately, none of the group’s 14 targets were taken down.
• September 3, 2022: Polish armaments plants (Dezamet, Zakłady Mechaniczne Tarnów) and Lithuanian investment companies (Unija Litas, General Financing Bankas) were the group’s first victims after their unsuccessful attack attempts on Ukrainian school institutions.
• September 6, 2022: The second attempt to attack Ukrainian school institutions (Athens School in Kyiv, Cherkasy National University, First Cambridge Education Center, and more).

The graph below shows a timeline of Bobik DDoS attacks, including successful and unsuccessful attacks from the beginning of June to mid-July 2022, captured by Avast telemetry.

Finally, we inspected all hosts from the XML configuration files within our three-month observation period. The pie chart below illustrates that sites from Lithuania and Poland are the main targets of the NoName057(16) group.

Looking at the distribution of attacked institutions, courts come in first, and second is logistic companies, followed by banks. The remaining targets are airports, transportation, and logistic companies, governments, and telecommunications companies. A full list of the targets can be found at Appendix.

Identifying NoName057(16)

We have tried identifying the hacker group controlling Bobik bots and C&C servers. It was evident that the group must be pro-Russia, so we looked for the most famous DDoS attacks.

Shortly after the war in Ukraine began, a pro-Russia hacking group called Killnet appeared and began carrying out DDoS attacks against companies and governments supporting Ukraine, and even targeted the 2022 Eurovision Song Contest.

Bobik initially attacked websites Killnet has marked as “undesirable”. Killnet reports their DDoS attacks on their Telegram account. At first, it looked like the attacks carried out by Bobik distantly resembled Killnet’s activity, because the timeline of attacked countries was similar to the XML configurations. However, many successful DDoS attacks by Bobik were not posted by Killnet.

On June 21, 2022, the Killnet group publicly thanked a group called NoName057(16) for their support during a “special military operation”:

When we finished analyzing NoName057(16)’s Telegram channel, we confirmed that NoName057(16) is responsible for the DDoS attacks performed by the Bobik bots. All the XML configurations we captured from the NoName057(16) C&C servers exactly match the posts on the Telegram channel.

NoName057(16)

NoName057(16) is a little-known pro-Russian hacker group. They boast about their successful attack attempts on their Telegram channel, which has more than 14K subscribers. The group was active before we began tracking them on June 1, 2022. Their Telegram channel was created on March 11, 2022. We suspect they were either using a different set of botnets before June 1, 2022, or updating the malware used to control the bots in June.

NoName057(16) has been threatening to punish “propaganda” sources that “lie” about the Russian “special operation” in Ukraine, as well as governments from neighboring countries supporting them in their fight against Russia. The group became visible in the media at the beginning of August after carrying out successful attacks on Finnish and Polish parliaments.

A Wikipedia page about NoName057(16) was created on August 17, 2022. The page summarizes the group’s main activity. It classifies the group as a pro-Russia hacker group that claimed responsibility for cyberattacks on Ukrainian, US, and European websites belonging to government agencies, media, and private companies.

NoName057(16) released a manifesto declaring cyberwar as an act of revenge for open information war against Russia:

As the group increased its activities and media profile, it became easier to determine they were behind the attacks. Therefore, we can clearly state that Bobik is controlled by the pro-Russian hacker group called NoName057(16).

Success Rate

The group only reports successful DDoS attacks on their Telegram channel. Although the reported number of successful attacks seems large, statistical information indicates the contrary.

The group exclusively concentrates on DDoS attacks. They do not try to steal data or gain access to systems like other dangerous groups. The question is if they have the necessary knowledge, strength, and infrastructure to do more. Carrying out DDoS attacks is straightforward and does not require deep technical knowledge. Furthermore, the Bobik implementation only sends a simple HTTP request.

Our three-month observation shows that the group’s attack success is around 40%. We compared XML configurations captured by Avast to the achievements the group posts on their Telegram channel. Moreover, there is a particular set of targets, making up ~20% of their posts on Telegram, NoName057(16) claimed they successfully attacked, but we did not match them to the targets listed in their configuration files. For example, NoName057(16) claims to be responsible for attacking websites belonging to Lithuanian airports on June 25, 2022:

However, we did not find any records of the attack in the configuration files. The likelihood of them not using all of their bots in attacks is slim. In addition to this outage, NoName057(16) declared the sites were under a continuous fourteen-day attack. This would require an extensive bot network, especially considering the group performed other attacks during the same time frame, and the websites were still offline. From what we have seen, it is unlikely that NoName057(16) has an extensive bot network. Moreover, most of their DDoS attacks last a few hours, maximally a few days.

Impact and Protection

The power of the DDoS attacks performed by NoName057(16) is debatable, to say the least. At one time, they can effectively strike about thirteen URL addresses at once, judging by configuration history, including subdomains. Furthermore, one XML configuration often includes a defined domain/target as a set of subdomains, so Bobik effectively attacks five different domains within one configuration. Consequently, they cannot focus on more domains for capacity and efficiency reasons.

Most of the successful attacks result in servers being down for several hours or a few days. To handle the attacks, site operators often resort to blocking queries coming from outside of their country. It is a typical and suitable solution for local servers/domains such as local ticket portals of local bus/train companies, local institutions/companies, etc. Therefore, the DDoS impact on these domains has a minimal effect on the servers of local and smaller companies. Some operators or owners of affected servers have unregistered their domains, but these are extreme cases.

The DDoS attacks carried out were more difficult to handle for some site operators of prominent and significant domains, such as banks, governments, and international companies. After a successful attack, we noticed larger companies implementing enterprise solutions, like Cloudflare or BitNinja, which can filter incoming traffic and detect DDoS attacks in most cases. On the other hand, most large, international companies expect heavier traffic and run their web servers in the Cloud with anti-DDoS solutions, making them more resilient to attacks. For example, the group was unsuccessful in taking down sites belonging to Danish bank, Danske Bank (attacked June 19 – 21, 2022), and Lithuanian bank, SEB (attacked July 12 – 13, 2022 and July 20 – 21, 2022). 

The success of DDoS attacks depends on victim selection. The more “successful” attacks affected companies with simple sites, including about us, our mission, and a contact page, for example. These types of companies do not use their web pages as the main part of their business. These servers are therefore not typically designed to be heavily loaded and do not implement anti-DDoS techniques, making them a very easy target.

The group’s  DDoS attack on Poznań-Ławica Airport in Poland took the site offline for 16 minutes. NoName057(16) configured Bobik bots based on the <tasks> shown in the screenshot below:

They tried to overload the server with requests for searching, form submitting, and getting data via WordPress API. When the server started to return 502 errors, NoName057(16) did not forget to brag on their Telegram channel. They also included a link to check-host.net to prove their “revenge”.

However, affected servers very often run back online within several minutes if they implement some anti-DDoS techniques because the algorithms learn to recognize the given type of attacks. The check-host.net report below demonstrates that the DDoS attack on Poznań-Ławica Airport had a minimal impact since the website was offline for 16 minutes.

On June 23, 2022, NoName057(16) reported on Telegram that Lithuanian authorities lifted a ban on the transit of Russian cargo to Kaliningrad. The group attributes the lifting of the ban, amongst other things, to the efforts of their cyber attacks on Lithuania’s infrastructure, which is debatable at best. However, the attacks on Lithuanian servers have continued.

Performance

The botnet went into an idle state on September 1, 2022, at 6 PM UTC, and remained idle persisted for 12 hours. The botnet was reactivated on September 2, 2022, at 4 AM UTC. The XML file sent to the bots contained empty <tasks>, like in this example: <config><tasks delay="0" thread_count="-6"/></config>

A decline in the botnet’s performance may be a possible explanation for this. The group only posted two general posts to their Telegram channel on September 1 and 2, 2022, instead of boasting about successful attacks, our first indication the botnet might not be performing well.  

The first post was about the beginning of the new school year and day of knowledge. The group also mentioned being on the defense of the cyber front for their country and the for the safety of the younger generation. The second post was about “information guns and DDoS tanks” that worked quietly on very difficult and important work.

In fact, NoName057(16) changed targets ten times each day in the XML configurations, which is abnormal. We monitored the targets for these days, and none of the attacks were successful. Therefore, it is evident that the botnet had some trouble.

Most of the sites attacked by the group have implemented anti-DDoS protections. This slowdown  implies that the botnet is relatively static without many changes, such as recruiting new bots or dynamically changing bots’ IPs. A static botnet is an advantage for anti-DDoS protections, because malicious traffic can be easily identified.

NoName057(16) has continued to attack other easier targets since September. Only the future will reveal the Bobik botnet’s successes and failures. However, the attack’s success rate has been only around 25% since the beginning of September.

Conclusion

We investigated and analyzed malware used to carry out DDoS attacks on sites in and around Ukraine, starting in June, 2022. We identified the malware as a .NET variant of a RAT called Bobik, including a DDoS module, and spreading via a bot-net-as-a-service, RedLine Stealer.

The first technical part of this investigation uncovered C&C servers and the HTTP communication protocol used by the Bobik bots. We also successfully decrypted the HTTP protocol, including its parameters. This allowed us to monitor the C&C servers and collect information about the botnet architecture and XML configurations defining the DDoS targets.

The second aim was to determine the bad actors behind the attacks. We identified a pro-Russian hacker group called NoName057(16), as the users or possibly even the authors of Bobik, based on the XML configurations and what the group posts to their Telegram channel.

NoName057(16) focuses exclusively on DDoS attacks and looks for companies and organizations that support Ukraine or are “anti-Russian”. They do not try to steal data or gain access to the system like other dangerous groups. Therefore, we can declare that their activities are only harmful in the sense that they can lose companies’ business while their sites are offline, but attacked sites that have gone offline have luckily recovered quickly. Their activities are more annoying than dangerous. 

We found that the successful attacks defined by NoName057(16) make up just ~ 40% of all of their attack attempts. The success of their attacks depends on the quality of the targeted infrastructure. The evidence suggests that well-secured and designed servers can withstand the group’s DDoS attacks. 

The group focuses on servers/domains as retaliation for cyber-attacks and sanctions on Russia. All successful attacks, and even successful attacks the group is not responsible for (but claims to be), are posted to their Telegram channel.

If you are concerned your device might be infected with Bobik and supporting NoName057(16)’s efforts, we highly recommend you install security software, like Avast Antivirus, which detects, blocks and can remove Bobik.

IOCs

The full list of IoCs is available in the IOC repository

Appendix

GUIDS

http://[ip]/[request]/update?id=[sha256]&v=[version]&pr=[flag]

[request]	value
notice	bcaa8752-51ff-4e35-8ef9-4aefbf42b482 d380f816-7412-400a-9b64-78e35dd51f6e
admin	27bff71b-42c0-4a47-ba39-04c83f2f40bb
dropper	fb82275d-6255-4463-8261-ef65d439b83b/<file_name> <file_name> Q7yheyG7.exe afVAcUJTvDvM.exe XuS1qxZa.exe AdminService.exe Q7yheyG7.exe xLZ6auza.exe BAebY2lBT7ee.exe

Bobiks’ Targets

References

[1] Threat Encyclopedia
[2] US Defense Department convened a meeting with America’s eight prime defense contractors
[3] Ukraine Conflict Overview And Impact To Security In The UK
[4] Verizon Waives Calling Charges to and From Ukraine
[5] Kaliningrad sanctions to take effect, Lithuania says
[6] Norway Greenlights Blocked Goods for Russian Arctic Miners
[7] Hacker wars heat up as the pro-Russian Killnet attacks Italy
[8] What is known about the Russian hacker group NoName057(16), which hacked the website of the Finnish Parliament?
[9] Russian hacker group NoName057 (16) attacks Poland and Finland
[10] Wikipedia – NoName057(16)

The post Pro-Russian Group Targeting Ukraine Supporters with DDoS Attacks appeared first on Avast Threat Labs.

A few months ago, we published a blog post about a pro-Russian hacker group called NoName057(16). The group carried out DDoS attacks using a botnet consisting of devices infected with malware called Bobik. NoName057(16)’s success rate using the Bobik botnet to attack selected targets was around 40%. However, the success rate rapidly dropped when the botnet was taken down – as was reported in the group’s Telegram channel early September. 

When we analyzed the Bobik malware in the summer, we discovered another Command and Control (“C&C”) server, outside of the Bobik botnet, used for DDoSing. The server’s configuration included similar DDoS targets to the Bobik botnet’s target list. The newer C&C server commanded clients written in Python, and we detected a command on August 1, 2022. Later, on September 15, 2022, NoName057(16) announced the launch of the DDosia project, which matched the sample we found before their announcement on Telegram. The group entices people to join their efforts by offering prizes for the best performers, paying rewards out in cryptocurrencies.  

On December 5, 2022 the original DDosia C&C server we discovered was taken down. The group, however, continues to post about their attacks, and promote the project, indicating a new C&C server was set up. 

By launching the DDosia project, NoName057(16) tried to create a new parallel botnet to facilitate DDoS attacks. The group publicly announced the DDosia project, while the Bobik botnet deployment was secretive. The NoName(057)16 attracts project members by offering cash rewards to members carrying out the most successful DDoS attacks. After the takedown of the Bobik botnet, we monitored the newly created DDosia botnet through the aforementioned C&C server. 

The DDosia client consisted of a Python script created and controlled by NoName057(16). The DDosia tool is only available for verified/invited users via a semi-closed Telegram group, unlike the Bobik malware which was deployed on victims’ devices without their knowledge. The success rate of the original DDosia project we tracked was lower than the Bobik botnet, but has the potential to be a nuisance when targeted correctly.

Project Philosophy 

Maintaining a botnet consisting of involuntary clients is expensive. The evidence from our previous research showed that NoName057(16) did not own a botnet which they could use as a distribution channel. The group instead used the Bobik botnet, which was, in fact, a sub-botnet of the RedLine Stealer bot that was rented as a botnet-as-a-service. Clearly, the group had the financial resources to afford renting out the botnet, and now to pay best performers of the DDosia project. 

The DDosia project consists of a closed community of volunteers, so-called “heroes”. Project members register using a Telegram bot. After registering, the bot sends a download URL with DDosia executables and a text file with a unique ID identifying the registered user. 

DDosia project members have the option to register a crypto-wallet using their ID number. If a member carries out a sufficiently high number of attacks, they can be awarded up to 80,000 Russian rubles in cryptocurrencies such as Ethereum, BitCoin, and Tether. Members can also check information about their overall statistics in the DDosia Telegram channel. 

In short, NoName057(16) is building a closed community of users who make their computing time available for DDoS attacks. There are approximately 1,000 “heroes”, according to the project’s closed Telegram channel. 

Technical Details 

To become a DDosia member you have to go through a registration process facilitated by the @DDosiabot in the dedicated DDosia project Telegram channel. After registering, members receive a DDosia.zip archive, which includes an executable. NoName057(16) strongly recommends using a VPN client, connecting through servers outside of Russia or Belarus, as traffic from the two countries is often blocked in the countries the group targets.

The structure of the ZIP archive is as follows:

DDosia.zip

• Linux and macOS folder
  • The Linux and macOS folders contain a Python script with the DDosia application – Dosia.py. The script uses simple obfuscation – the source code is stored as a text file with escaped hex digits corresponding to ASCII characters of the Python script.

• Windows 
  • The Windows folder includes one Dosia.exe file which is the DDosia Python script packaged as a PyInstaller executable – nothing less, nothing more. 
• Each folder of the ZIP archive also contains client_id.txt storing a unique ID of the registered user. 

DDosia Application 

The workflow of the DDosia application is straightforward and does not contain any interesting techniques or methods. So, we just summarized the basic aspects of its implementation. 

At the beginning, DDosia reads the client_id.txt file storing the ClientId of the registered user. The first C&C communication sends a list of DDoS targets managed by NoName057(16). DDosia creates worker threads which are used to perform DDoS attacks. The number of threads corresponds to five times the number of logical cores. Similarly, to Bobiks’ attacks, DDoS attacks can be conducted using HTTP, but also on a lower layer via the TCP protocol; the HttpTarget and TcpTarget classes are designed for these attacks. 

Statistical information of each DDosia bot is sent back to the C&C server every minute. The information is identified by the ClientId, and the data contains a list of attacked domains and the number of successful and attempted attacks. A successful attack means that DDosia sends a request to the defined server and receives a response from the server. The communication with the C&C server is unencrypted and unauthenticated, so anyone can easily fake the statistical data and thus win the payout of the day. 

C&C Server 

We found one DDosia C&C located in Russia ⎼ 109.107.181.130. Our Nmap scan discovered three open ports with the following services: 

4200/tcp 

This port was controlled by the Nginx 1.23.1 web server. There was a web page with the title DosiaBotFront; its design is illustrated in Figure 1. It was the administrator console for the configuration of DDosia bots.

5001/tcp 

The next open port was 5001, classified as the commplex-link. A few other scans identified an HTTP service on this port.
The Nmap scan detected that the C&C communication is unencrypted on the HTTPS layer. 

Other ports 

The new results uncovered one thousand opened ports when we repeated the port scan. The attackers want to make the port scan more difficult and time-consuming. 

C&C Server Discussion 

The main DDosia C&C server (109.107.181.130) was taken down on December 5, 2022, at 9 AM UTC. However, the group continues to actively post on their Telegram channel, so the group must have another botnet. 

C&C Communication 

The DDosia application has two hard-coded URLs that are used to download and upload data to the C&C server. The first one is used to download a list of domains (targets) that will be attacked, the second one is used for statistical reporting. 

• Get targets: hxxp://109.107.181[.]130:5001/client/get_targets 

• Send statistical information: hxxp://109.107.181[.]130:5001/set_attack_count 

The list of targets is sent as an uncompressed and unencrypted JSON file. There are two items: targets and randoms. The former contains approximately 20 properties that define DDoS targets; each target is described via several attributes: id, type, method, host, path, body, and more. The latter describes how random strings will look via fields such as: digit, upper, lower, and min/max integer values; see Figure 2. 

DDosia generates random values at runtime for each attack. The reason is straightforward; the attackers want to randomize HTTP requests and make each HTTP request unique for a better success rate. The randoms replace placeholders in the path or body of the target definition, and their positions are located using this definition $_{number}, as Figure 2 demonstrates. 

Detections 

The DDosia project is not classified as common malware, as people execute the application voluntarily. Nevertheless, we actively detect the DDosia application, but the number of hits approaches zero in the limit. 

Our telemetry shows only a handful of detections related to DDosia. However, we registered many exceptions that our users added to their Avast Antivirus. The most notable exceptions are from Russia, namely St. Petersburg, Moscow, Seversk, Tyumen, Pudomyagi, and Rostov-on-Don. Other countries we observed using adding the project to their exceptions are Canada (Toronto), and Germany (Berlin). 

Performance 

One DDosia “hero” can generate approximately 1,800 requests per minute using four cores and 20 threads. Naturally, the speed of request generation depends on the attacker’s internet connection quality. The project currently has approximately 1,000 members. Let’s assume at least half of the users are active, then the total count of requests to defined targets can be up to 900,000 req/min. This can be enough to take down web services that do not expect heavier network traffic. 

Dosia Targets 

The targets of the DDosia project are very similar to Bobik’s targets. The group focuses on private as well as public sectors such as courts, banks, education, public media, government, and transport services (airport, railway). For example, the District Court in Słupsk (PL), West Kredit (LV), Cherkasy National University (UA), Maaleht (EE), or Central Finance and Contracts Agency (LV) were targets. 

Another aspect of DDosia’s targets is the distribution of attacked countries. Although NoName057(16) was founded to support the “special military operation” in Ukraine, the most attacked domains are from Poland, Latvia, Lithuania, followed by Ukraine. 

Dosia Success Rate 

We have been monitoring the DDosia project configurations since August 1, 2022 up until the original server was taken down on December 5, 2022. More than 2,200 DDoS targets were captured within four observed months. The NoName057(16) Telegram channel boasted about 390 successful attacks, so the success rate was approx. 17% with approximately 1,000 DDosia “heroes”. 

The green line of Figure 3 illustrates a trend of successful attacks in the observed period. However, it should be noted that the higher rate of successful attacks is affected by the activity of the Bobik’s botnet, which performed DDoS attacks in parallel. Therefore, the real success rate of DDosia should be counted from approximately September 7, 2022, when the Bobik botnet was taken down. So, if we consider the take-down of the Bobik botnet, the DDosia statistics are 1,400 DDoS targets and 190 successful attacks. Therefore, the current success rate of the DDosia project is approximately 13%. 

The graph also shows a peak on September 2, 2022. NoName057(16) vehemently tried to attack Ukrainian schools and educational institutions at the beginning of the new school year. Similarly, the same targets we observed on the former Bobik server. The institutes under attack were, for instance, the School of Athens, Ukrainian Medical Journal, School Management and Learning Systems, First Cambridge Education Center, and Libera School. Fortunately, none of the targets were taken down on September 2, 2022, although there were disproportionate numbers of configuration changes and attacked domains. 

In November the success rate started to increase significantly. There is also a correlation between the number of attacked domains and the number of successful attacks. The attacked domains (blue line) and successful attacks (green line) trends are approaching each other, which can announce upward trends. 

A possible explanation for this upward trend is that the selected targets for the attacks are more homogenous than in the previous periods where the group attacked various targets. In comparison, a list of November’s selected targets included targets mostly within one primary domain. Therefore, if an attack on any subdomain of the main domain was successful, the probability that most subdomains will also be taken down is high because they use a similar platform, security, and network. The group boasted about their “successful” attacks on their Telegram channel. The strategy is a logical step to increase the NoName057(16)’s prestige. Right after the Bobik server went offline on September 5, 2022 the group mostly just posted bizarre pictures of bears and cartoons, rather than boasting about successful attacks. 

DDosia Attacks on Poland’s Government 

The attack on the Polish government domain is a prime example of the new selection strategy. The attackers focused on most subdomains of the .gov.pl domain since November 5, 2022; see the list of selected subdomains: 

• sanok.sr.gov.pl 
• belchatow.sr.gov.pl 
• siemianowice.sr.gov.pl
• aleksandrowkuj.sr.gov.pl 
• trzcianka.sr.gov.pl 
• gdansk-poludnie.sr.gov.pl 
• zywiec.sr.gov.pl 
• prudnik.sr.gov.pl 
• katowice-wschod.sr.gov.pl 
• brodnica.ug.gov.pl 
• radom.ap.gov.pl 
• opolska.policja.gov.pl 
• aplikacja.ceidg.gov.pl 
• powietrze.gios.gov.pl 
• exp.lobi.nencki.gov.pl 
• cpsdialog.gov.pl 
• puesc.gov.pl 
• nawa.gov.pl 
• kssip.gov.pl 
• ezamowienia.gov.pl 

Most sr.gov.pl web servers run on the same platform (Nginx v1.16.1). If the attackers pick up subdomains running on the same platform, they have a high chance of taking down the selected servers. More importantly, most subdomains (web pages) only have informational characters and do not provide any online services critical to the government. So, these attacks have no value from a cyber attack perspective, except for propaganda on the group’s Telegram channel. 

Another essential point is the attack on the Central Register and Information on Economic Activity (aplikacja.ceidg.gov.pl). The website expects a higher page load because there are electronic services for entrepreneurs. Therefore, the website was more resilient to DDosia attacks. 

An example of an attack without any value is the attack on Poland’s municipality Gmina Brodnica. Their website does not include anti-Russian and Russophobic content; however, it was also under attack despite the NoName057(16) declaration to attack sites with anti-Russian and Russophobic content; see the Telegram post below. Therefore, it is evident that NoName057(16) is not after operational impact in the war in Ukraine but rather uses the conflict as an opportunity to establish itself in the community. 

DDosia Configurations 

Our telemetry has been recording the DDosia configurations from August 1, 2022 – December 5, 2022. Firstly, Figure 3 above illustrates that the configurations are changed four times per day on average; see the red line. Secondly, the average number of attacked domains per day is seventeen. 

Rewards 

NoName057(16) promises a cryptocurrency reward for the most productive members. Suppose the participants link their crypto-wallet during the registration; NoName057(16) posted a few messages announcing the most active members, as shown in the posts below. 

The prize for the winners is in the order of thousands of rubles (hundreds of dollars). We cannot verify whether the crypto money was really sent to the said clients and thereby verify that the group has enough financial resources at their disposal. 

Individual participants send statistics about their progress and achievements periodically to the C&C server; however, in plain text without any protection. A body of statistical information is a simple JSON file with ClientId and IDs of attacked servers. Therefore, anyone can counterfeit their own statistics because each client can obtain their ClientId from client_id.txt. A simple Python script below can fake the statistics, and anyone can be the most active client on any given day. The script also contains a list of the targets’ IDs that can be downloaded from the C&C server in plain text. 

Conclusion 

Based on the aim of our previous study, which was monitoring the activity of the NoName057(16) group, we have captured another method used for DDoSing against Ukraine and the countries surrounding it and siding with Ukraine. 

NoName057(16) has changed their philosophy and built a new botnet using a publicly available tool compared to the Bobik malware that was used previously. The tool is a simple Python script called DDosia. The depth analysis confirms that DDosia is only a tool for DDoSing and does not contain any backdoor functionality. 

The success rate of the DDosia attacks is ~ 13% percent of all of their attack attempts. DDosia is available via a closed community on Telegram, and the number of members is approximately 1,000. If the community is on the rise, we expect the success rate to be higher. Therefore, the successful attack depends on the motivation that NoName057(16) provides to volunteers. At this moment, 1,000 registered heroes may actually mean 500 active instances of DDosia, so servers that expect a high network activity load are more resilient to attacks. 

The targets selected for DDoS attacks are the same as in our previous study. In short, NoName057(16) focuses on companies and organizations that support Ukraine or are “anti-Russian”. At the beginning of November, the target selection was shifted and oriented on subdomains of previously successfully attacked domains, which increased the success rate. 

The new aspect of DDoS attacks is the possibility of being rewarded. The group collects statistical information about performed attacks and successful attempts. Subsequently, the best “heroes” are paid out in cryptocurrencies. However, the statistics can be easily manipulated. 

The NoName057(16) has introduced the DDosia project so they can carry out more DDoS attacks when the previous botnet has been taken down. The power of the attacks is much less than with the previous Bobik botnet. Consequently, time will tell how successful DDosia will be. 

Their DDoS attacks are basically unsophisticated, do not have large impacts, and do not aim to cause significant damage. They want to draw attention to themselves in the media, similar to the Killnet group. Nonetheless, NoName057(16) activities are still more of a nuisance than dangerous. 

References 

• Russian DDoS attack project pays contributors for more firepower
• DDOSIA is the best software for load testing
• Project DDOSIA Russia’s answer to disBalancer
• Russian DDOSIA Project Pays Volunteers to Participate in DDOS Attacks on Western Companies

The post DDosia Project: Volunteers Carrying out NoName(057)16’s Dirty Work appeared first on Avast Threat Labs.

Through their DDosia project, pro-Russia hacktivist group NoName057(16) is still conducting DDoS attacks, mostly with the goal to take offline websites of institutions and companies in European countries. On its Telegram channels, the group openly communicates the fact that they perform their actions in support of Russia in the war against Ukraine, and it’s apparent that their activities will further continue during the war. The group has been offering payments in cryptocurrencies to people who install their DDosia tool in order to participate in their attacks. We want to create awareness that people who have NoName057(16)’s DDoS tool installed on their computer not only participate in cybercrime, but also support the groups’ warfare activities.

We detect and block DDosia to make the internet a safer place, and we continue to track DDoS victims and configurations of the DDosia botnet because such information helps to mitigate the impact of DDoS attacks.

Since the first Python version needed to be more efficient, the group released a new Go variant of bots in late 2022. SentinelLabs has described the first variant of the Go implementation, including the C2 servers at that time active. A few days later, Team Cymru published an investigation about the botnet architecture describing the DDoS attacks as a largely static infrastructure.

Given the above findings, it is apparent that the C2 structure is still evolving. The primary purpose of the following analysis is to explore the C2 architecture and current communication process between the botnet and C2 servers. Therefore, we have been actively monitoring the DDosia botnet and have found several innovations in the bot implementation and the botnet infrastructure. The C2 infrastructure is composed of one central server and two proxies forwarding bot requests. This, combined with an update mechanism, makes the botnet rather resilient to disruptions. The latest versions also include a bot authentication mechanism for all the C2 communication along with IP address blocklisting, presumably to hinder tracking of the project.

Implementation Overview

The first implementation of DDosia came into the world around July 2022. Being authored by the NoName057(16) group, there was interestingly a brief coexistence with the Bobik botnet before the botnet was dismantled, presumably in favor of DDosia. It was written in Python using threads as a means of parallelism; nevertheless, it was still lacking in terms of efficacy. Since the first version, DDosia relied on HTTP protocol for C2 communication, with JSON configs distributed by the servers.

The lack of efficacy presumably motivated changes in DDosia, namely the move from Python to Go that we saw in late 2022, with SentinelLabs describing the first Go variants. The main advantage of Go in comparison to Python is direct compilation into native code along with the absence of Python’s GIL that may severely affect the performance of threaded code in Python. Interestingly, these new versions are also multi-platform, as we’ve seen variants for all major operating systems (Windows, macOS, Linux, Android). Evidently, the bot development is still in progress, as we see new functionalities, such as HTTP authentication, being added to DDosia along with slight changes in the configuration file.

Go Implementation

Let’s take a closer look at the second variant of DDosia bot from March 6, 2023, that came up with the authentication mechanism, presumably to combat researchers snooping for lists of targets.

Build Package

The aforementioned variant has support for multiple architecture as well as multiple platforms; unsurprisingly, it is also written in Go. The builds are distributed via the Telegram channel “Project DDosia” in the form of a zip file with the builds as follows:

• Windows x64 and arm64
• Linux x64 and arm64
• macOS x64 and arm64

The names of the executable are changed sometimes; there is a list of the captured names:

• dosia_app_(windows|macos|linux)_(x64|arm64)
• d_(win|mac|linux)_(x64|arm64)
• pd_(win|mac|linux)_(x64|arm64)
• dosia_(win|mac|linux)_(x64|arm64)

Execution Workflow

A working dir of the bot executable must contain a text file client_id.txt with the User-Hash of the registered user. The form of the User-Hash is a BCrypt hash with these parameters $2a$16$.

The first outcome communication is to use nordvpn.com to get detailed information about the bot IP address that is sent to the C2 server. The second outcome is to use C2 as a POST method to /login URL with data representing information about the bot IP, user ID, and bot identification.

The Client-Hash is the result of a library that returns the OS native machine UUID/GUID. It is an open-source implementation of Go MachineID by Denis Brodbeck. The Client-hash has a suffix representing the current PID (5481 in this case).

If the authentication is successful, C2 returns HTTP/1.1 200 OK with a token in the form of epoch/Unix timestamp, and the target configuration can then be downloaded via GET /client/get_targets. The first variant of the DDosia bot does not implement any authentication mechanism, but the valid token is necessary to get the target configuration successfully in the current C2 architecture; otherwise, 401 Unauthorized is returned.

The returned JSON file is similar to the first variant, with the difference that the original JSON configuration is wrapped up in a data key. Additionally, the new key token is included in each response of GET /client/get_targets. The token is a fresh token for further communication.

The new configuration supports four attack types: http, http2, nginx_loris, and tcp. The rest of the items are the same as SentinelLabs, and we described previously; see C&C Communication and SentinelLabs.

When the login and get targets operation are successful, the bot creates approximately 20 working threads that perform the DDoS attack using a synchronized method since the bot counts the number of successful connections. Therefore, the bot waits for an attacked server response; if the response is 200, the attempt is counted as a successful attack. Subsequently, the newest bot implementation is eight times faster than the initial implementation in Python.

Continuous statistics are sent each ~four minutes back to the C2 server through POST /set_attack_count.

These statistics help the attacker track the target configuration’s effectiveness and respond in time with a new configuration. If everything goes as expected, a new target configuration is requested every ~10 minutes. However, sometimes the C2 server is unable to handle requests, and a connection cannot be established. In this case, the bot continues on the latest target configuration and tries to contact C2 later. Figure 1 provides an overview of the communication between the C2 server and a bot.

Bot Updater

One of the unknowns remains the question of the bot updates. Our investigations into this area are still in progress, and we are trying to confirm our hypothesis that there is an automatic bot updater.

We’ve observed a few takedowns of C2 servers and new build releases in the last months. We expected a delay of several days between the bot updates and further DDoS attacks. However, the time between the C2 takedown and the new DDoS attacks was several hours. Therefore, our hypothesis is that there is an automatic updater since it is improbable to manually update approximately 7,200 independent clients within several hours.

The count of new bot releases was considerable in the last four months, as Figure 2 illustrates. So, there should be some automatic updater.

C2 Protection

All C2 servers have used HTTP protocol to communicate, which was unencrypted. So, it was only a matter of time before the DDosia authors tried to implement a mechanism to protect the target configurations.

Temporary DNS Records

The first attempt to implement the protection mechanism was around January 28, 2023. The main idea was to use temporary DNS records, which are rotated every midnight. The DNS record is then reconfigured to a non-existent record. As a result of the 24-hour period, the initial DNS record is not captured by any online monitoring services, so the history of DNS records includes only the non-existent or invalid records. Consequently, the valid IP address of C2 severe is not recorded anywhere, and it would not be easy to find them.

This mechanism has been seen in the cases on January 28-29, 2023. Two builds with hardcoded DNS records were set to non-existent IPs after midnight. The next day, the new builds with new DNS records were released.

For example, deac48f968269bb5e75ceb9417f6680d8787a03ba0768e25d8716f189a079574 build has two DNS records (pkcds2cas7.ignorelist.com, pqw2vsi21mx74.twilightparadox.com) that led to 212.73.134.208. However, the DNS records were reconfigured to 127.0.0.2 from midnight on January 27-28, 2023. So, if you resolve the DNS records today, you cannot resolve the initial IP since the address is already untraceable.

The same case was seen from midnight on January 28-29, 2023, on the 5c1be24a5fa75b70c50515a061d2d3ce911b785188328408edc0a79dfc5e3173 build. The other two DNS records (trafficsearch.ddns.net, trafficanalyzer.bounceme.net) led to 94.140.115.129. The DNS records were also reconfigured to invalid IP addresses; namely 0.0.0.0.

Implementing this mechanism was probably not successful because the count of reported targets on the group telegram was lower on January 28, as Figure 3 demonstrates. Moreover, there were reported taken-down domains from the previous target configuration. Finally, the build that was released on January 30 contained hard-coded IP addresses of the C2 server (94.140.114.239).

Request Authentication

The second attempt to implement the protection mechanism was on March 7, 2023. The communication with the C2 server is also via HTTP, but a token mechanism was designed and realized. Therefore, anybody cannot download the target configuration (list of attacked domains) freely without authentication as before.

The first communication with the C2 server is the login request, as described above in Figure 4. First, the request must include the header User-Hash, which users obtain during the registration process in the DDosia Project Telegram channel. The other necessary condition is data about the GeoIP of the bot. If the IP address or ISP of the given bot is on the blocklist (e.g. Avast), the authentication process ends with 401 Unauthorized. However, if the authentication is successful, the login request reruns the token in the string form.

The token is valid for approximately 15 minutes, and the constant 0xF must be added each time the token is used for the following requests to the C2 servers. The adjusted token is included in the HTTP header as a Time entry, and each response then consists of a new fresh token value.

C2 Architecture

The C2 architecture is dynamically changing. We noticed four IP addresses related to the DDosia project since the beginning of 2023. Three addresses are active web servers run on Ubuntu using nginx/1.18.0. More importantly, these web servers return the same target configurations and provide the services like logging into the botnet as well as reporting statistics to the attackers. The currently discovered C2 architecture of the DDosia project is shown in Figure 5.

Using HTTP, the central C2 server (M) is contacted by proxy C2 servers P1 and P2 throughout port 5001. The DDosia bots reach the proxy servers also using HTTP via port 80, where requests are forwarded to the central server. Any suspicious outcome from the primary server has not been detected yet. However, one suspicious server or client communicates, especially with the primary and P2 servers. We recorded the most network activity of a suspicious IP (161.35.199.2) around February 14, 2023. The purpose of this suspicious machine is still unknown, but it can be a testing or monitoring service.

Besides the bots’ communication over port 80, we detected connections on port 22 for both proxy servers. The transmission on port 22 is not implemented in the bot executables we analyze, but our telemetry indicates a higher communication volume. However, most captured IPs contacting port 22 are suspicious due to port scans or SSH brute force attacks.

In addition, the C2 infrastructure relies heavily on proxy servers which contributes to the resilience of DDosia’s infrastructure. Nevertheless, our monitoring revealed that outages indicated by 502 Bad Gateway error responses from the proxy servers. The first significant disruption occurred during the deployment of the authentication mechanism. The outage lasted for several hours – the duration and the timing indicates that development issues may have been responsible. The root of the problem seems to be partially fixed as recent outages were resolved within one hour.

DDosia Tracking

We still continue to monitor the DDosia project targets and the count of users that have joined the project. We will publish detailed information about the targets, configurations, and volunteers in a subsequent post. Figure 6 illustrates a quick overview.

We’ve also observed that DDosia’s community is steadily growing, though there can be doubts about the capacity new members can contribute. Nevertheless, it seems that in this specific case, a volunteer-based model is rather efficient and easier to manage than a malware-based botnet; however, its availability is probably enabled by the political circumstances.

Conclusion

It is evident that the project is still in development, and NoName057(16) is trying to improve the efficiency of the DDoS attacks. They are trying to move to a more efficient Go platform because the pilot variant written in Python was lacking in performance.

Many of the changes seem to be motivated by protecting the target configuration and C2 architecture secrecy. Hence, the latest version of DDosia bots has realized the authentication mechanism for C2 communication.

Our most interesting observation was probably the implementation of an update mechanism in the client since previous updates caused only short-term disruptions to the project’s effectiveness. This has also increased the resilience of the C2 mechanism, as it is no longer necessary to do a manual update after a server takedown. The update mechanism is still under our investigation. In a future blog post, we plan to release a more detailed analysis of the tracker’s historical data.

References

• NoName057(16) – The Pro-Russian Hacktivist Group Targeting NATO
• A Blog with NoName
• MachineId

The post DDosia Project: How NoName057(16) is trying to improve the efficiency of DDoS attacks appeared first on Avast Threat Labs.