The threat actors behind the DDoSia attack tool have come up with a new version that incorporates a new mechanism to retrieve the list of targets to be bombarded with junk HTTP requests in an attempt to bring them down.
The updated variant, written in Golang, “implements an additional security mechanism to conceal the list of targets, which is transmitted from the [command-and-control] to the users,” cybersecurity company Sekoia said in a technical write-up.
DDoSia is attributed to a pro-Russian hacker group called NoName(057)16. Launched in 2022 and a successor of the Bobik botnet, the attack tool is designed for staging distributed denial-of-service (DDoS) attacks against targets primarily located in Europe as well as Australia, Canada, and Japan.
Lithuania, Ukraine, Poland, Italy, Czechia, Denmark, Latvia, France, the U.K., and Switzerland have emerged as the most targeted countries over a period ranging from May 8 to June 26, 2023. A total of 486 different websites were impacted.
Python and Go-based implementations of DDoSia have been unearthed to date, making it a cross-platform program capable of being used across Windows, Linux, and macOS systems.
“DDoSia is a multi-threaded application that conducts denial-of-service attacks against target sites by repeatedly issuing network requests,” SentinelOne explained in an analysis published in January 2023. “DDoSia issues requests as instructed by a configuration file that the malware receives from a C2 server when started.”
DDoSia is distributed through a fully-automated process on Telegram that allows individuals to register for the crowdsourced initiative in exchange for a cryptocurrency payment and a ZIP archive containing the attack toolkit.
What’s noteworthy about the new version is the use of encryption to mask the list of targets to be attacked, indicating that the tool is being actively maintained by the operators.
“NoName057(16) is making efforts to make their malware compatible with multiple operating systems, almost certainly reflecting their intent to make their malware available to a large number of users, resulting in the targeting of a broader set of victims,” Sekoia said.
The development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned of targeted denial-of-service (DoS) and DDoS attacks against multiple organizations in multiple sectors.
“These attacks can cost an organization time and money and may impose reputational costs while resources and services are inaccessible,” the agency said in a bulletin.
Although CISA did not provide any additional specifics, the warning overlaps with claims by Anonymous Sudan on its Telegram channel that it had taken down the websites of the Department of Commerce, Social Security Administration (SSA), and the Treasury Department’s Electronic Federal Tax Payment System (EFTPS).
Anonymous Sudan attracted attention last month for carrying Layer 7 DDoS attacks against various Microsoft services, including OneDrive, Outlook, and Azure web portals. The tech giant is tracking the cluster under the name Storm-1359.
The hacking crew has asserted it’s conducting cyber strikes out of Africa on behalf of oppressed Muslims across the world. But cybersecurity researchers believe it to be a pro-Kremlin operation with no ties to Sudan and a member of the KillNet hacktivist collective.
In an analysis released on June 19, 2023, Australian cybersecurity vendor CyberCX characterized the entity as a “smokescreen for Russian interests.” The company’s website has since become inaccessible, greeting visitors with a “403 Forbidden” message. The threat actor claimed responsibility for the cyber attack.
“The reason for the attack: stop spreading rumors about us, and you must tell the truth and stop the investigations that we call the investigations of a dog,” Anonymous Sudan said in a message posted on June 22, 2023.
Anonymous Sudan, in a Bloomberg report last week, further denied it was connected to Russia but acknowledged they share similar interests, and that it goes after “everything that is hostile to Islam.”
CISA’s latest advisory has also not gone unnoticed, for the group posted a response on June 30, 2023, stating: “A small Sudanese group with limited capabilities forced ‘the most powerful government’ in the world to publish articles and tweets about our attacks.”