Russian Hacktivists Peddling DDoS-As-A-Service in Cyber-Crime Forum
Cyble Research and Intelligence Labs (CRIL) recently uncovered a new strain of malware named “MDBotnet” on a cybercrime forum. Our analysis indicates that the origins of this malware can be attributed to a Threat Actor (TA) associated with Russia. This MDBotnet malware has been specifically designed for carrying out distributed denial-of-service (DDoS) attacks on targeted victims by employing an HTTP/SYN flood attack technique.
A DDoS attack is a malicious attempt to disrupt the normal functioning of a computer network, service, or website by overwhelming it with a flood of internet traffic or requests. The primary objective of a DDoS attack is to disrupt the target’s operations, cause financial loss, or damage its reputation.
The price mentioned for the MDBotnet service is 2,500₽ (Russian Rubles) with a lifetime access offer. Additionally, the advertisement provides detailed information about the features included in the MDBotnet service.
The figure below illustrates the MDBotnet advertisement by the TA on a cybercrime forum.
We have taken the below sample hash for this analysis: (SHA256), ae582545c3196afa5ac6419db9d57b11633e8282f29e3cd48fe31b9dd250a963, which is a GUI-based 32-bit executable written in .NET compiler, as shown below.
The main function of the MDBotnet executable, named “SlavaRussia.exe,” is responsible for performing the malicious activities depicted in the figure below.
Upon execution, the MDBotnet executable file carries out the following actions:
- To begin with, the malware establishes a TCP socket connection to a server by providing the server’s IP address (212[.]109[.]199[.]128) and port number (4202) obtained from the “Config” class shown in the figure below.
- Next, the malware retrieves the path of the %appdata% folder and verifies the presence of a specific file named “Updater.exe” within that directory. If the file is not found, it sends a “GET_UPDATER” message to the server and proceeds to invoke the GetUpdater method from the Update class (Update.GetUpdater) to download the “Updater.exe” from the server. The “Updater.exe” file is responsible for downloading the most recent version of the MDBotnet executable (“svhost.exe”) from the server.
- Subsequently, the malware verifies whether the executing assembly is located at %appdata%\svhost.exe. If not, the malware proceeds to invoke the Start method of the Update class (Update.Start), triggering the execution of the “Updater.exe”, which downloads “svhost.exe” from C&C and drops it in the %appdata% directory.
The figure below shows the presence of downloaded files in the %appdata% directory by the malware.
- Persistence: Then, the botnet creates a registry key that ensures the “svhost.exe” runs automatically during startup, as shown below.
- Finally, the malware enters into an infinite loop where it receives data from the server and performs actions based on the received commands.
- If the “UPDATE” command is received, it calls the Start method of the Update class to execute the “Updater.exe”, which downloads the latest “svhost.exe” from the remote server.
- If the “HTTP_GET” command is received, it calls the Start method of the HTTPGetAttack class, passing the argument (URL) extracted from the command sent by the C&C server.
The primary objective of the HTTPGetAttack class is to carry out a distributed denial-of-service (DDoS) attack by sending repetitive HTTP GET requests to a designated URL. The Start method initiates a new thread responsible for executing the attack (HTTPGetAttack.Start). In contrast, the HTTPAttack method continually generates additional threads to send the HTTP GET requests (HTTPGetAttack.HTTPAttack), as shown in the below figure.
MDBotnet malware can launch a SYN flood attack, also called a “SYNAttack”. This type of cyber-attack focuses on exploiting the Transmission Control Protocol (TCP) handshake process used for establishing network connections between devices. The objective of a SYN attack is to flood the targeted system with an excessive number of connection requests, leading to system overload, unresponsiveness, or even a complete crash.
It’s worth noting that in the analyzed sample, the utilization of the SYNAttack class may have been disabled during the creation of the executable binary. The below figure shows the assembly code of SYNAttack class.
The main purpose of the “Updater.exe” file is to download the most recent version of the MDBotnet executable (svhost.exe) from the remote server.
The code begins by sleeping for 2000 milliseconds (2 seconds) using the Thread.Sleep method. Then, the malware establishes a connection to the server using the Connect method, providing the server’s IP address and port obtained from the “Config” class.
After that, the MDBotnetUpdater sends the string “UPDATE_CONFIRM” to the server and downloads the latest MDBotnet executable named “svhost.exe”.
Finally, the malware executes the newly downloaded file using Process.Start(), and the current process is terminated using Process.GetCurrentProcess().Kill().
The MDBotnetUpdater (Updater.exe) code snippet is illustrated in the figure below.
Underground forums enable cybercriminals to easily acquire malware and additional services, allowing them to engage in financial fraud, cause disruption, or inflict damage on victims without needing extensive technical expertise. The availability of malware bots and related services has significantly heightened the vulnerability of individuals and organizations to cyber-attacks, including DDoS attacks.
Currently, the TAs responsible for MDBotnet are actively involved but with limited functionalities. Although the code for the SYN flood attack is present in the malware, it remains inactive, indicating that the malware is still in development. This implies that upcoming versions of MDBotnet might feature enhanced utilization of various DDoS techniques, encompassing a broader range of attack methods.
CRIL will continue to monitor MDBotnet developments and keep our readers aware and informed.
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, torrent sites, etc., mainly contains such malware.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Update and upgrade your computer, mobile, and other connected devices.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Educate employees on protecting themselves from threats like phishing/untrusted URLs.
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|Persistence||T1547||Registry Run Keys / Startup Folder|
File and Directory Discovery
|Ingress Tool Transfer|
Indicators Of Compromise