The threat actor behind the Fodcha botnet has resurfaced with new capabilities, and security researchers have investigated further. The initial cases of Fodcha first peaked earlier this April, with the malware spreading through known vulnerabilities in Android and IoT devices as well as weak Telnet or SSH passwords.
Researchers discovered the Fodcha malware in April 2022, and since then it has been quietly being improved, becoming more and more effective. For the latest Fodcha version 4, the researchers have taken steps in reaction to their earlier findings so as to avert the possibility of additional analysis after being stopped.
The most significant improvement in this botnet version is the delivery and decryption of ransomware within DDoS packets that go directly to the victim’s network. On top of that, the botnet now uses encryption to determine the communication link between the C2 server and the malware, making it harder for security researchers to analyze the malware and attempt to terminate the network.
One research study reported that Fodcha has evolved into a massive botnet with more than 60,000 nodes and 40 command-and-control (C2) domains that can traffic at a rate of more than 1 Tbps traffic.
In October 2022, malicious software was focused on 1,396 devices in one single day, which was the photometric activity‘s peak. The countries that gained the most from the botnet from late June 2022 consist of China, the United States, Singapore, Japan, Russia, Germany, France, the United Kingdom, Canada, and the Netherlands.
Some of the famous targets vary from healthcare agencies and law enforcement agencies to a cloud service provider that was assaulted with more than 1 Tbps of website traffic.
The latest evolution of Fodcha’s DDoS tool is reportedly allowing the personal company to profit from it. Through reverse-engineering the DDoS packets read by the professionals at Proofpoint, Fodcha was found to extort 10 XMR (Monero) from victims and, based on this information, is estimated to make approximately $1,500 from each of the extortion attempts.
These demands are lurking in the ‘Data’ section of a DDoS attack‘s packet payload and warn of further assaults until payment is made.
Monero has its own privacy features, which makes it unsuitable for most US cryptocurrency exchanges. Consequently, the majority of exchanges will not list Monero for fear of committing unlawful acts or money laundering.
Consequently, while ransomware gangs and other online threat actors normally request XMR as a payment option, most companies opt to pay in bitcoin, which is a similar situation to DDoS attacks.
Research has also revealed that the abuse of the Connectionless Lightweight Directory Access Protocol (CLDAP) intensifies the scale of DDoS attacks. The exact number of open CLDAP reflectors has been determined as many as 12,142, the majority of whom are in the U.S. and Brazil, as well as to a lesser extent in India, Germany, and Mexico.
Found this article interesting? Follow Terraeagle on Facebook, and LinkedIn to read more exclusive content we post.