This rapidly expanding botnet is launching DDoS attacks left, right and center

DDoS Attack
(Image credit: Shutterstock)

Researchers from Qihoo 360 have discovered a brand new, gargantuan botnet, capable of launching more than 100 attacks every single day.

The threat actor is targeting devices such as routers, DVRs, and servers with malware known as Fodcha. In less than a month, the researchers have discovered, the threat actors managed to infect more than 62,000 devices with the Fodcha malware.

At every point in time, roughly 10,000 devices are being used to launch Distributed Denial of Service (DDoS) attacks, using the services of China Unicom (59%) and China Telecom (39%). 

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022end of this survey

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

Targeting hundreds of victims daily

"Based on direct data from the security community that we worked with, the number of daily live bots are more than 56000," the researchers allegedly said. "The global infection looks fairly big as just in China there are more than 10,000 daily active bots (IPs) and also more than 100 DDoS victims being targeted on a daily basis."

To compromise the endpoints, the attackers are using a slew of exploits that abuse n-day vulnerabilities in devices and services including Android ADB Debug Server RCE, Realtek Jungle SDK, TOTOLINK Routers, ZHONE Routers, and others.

Furthermore, the botnet targets MIPS, MPSL, ARM, x86, and other CPU architectures. 

The initial domain used for command-and-control (C2), folded[.]in, was shut down by the vendor, on March 19, the researchers further said. After that, the threat actors migrated to fridgexperts[.]cc.

"The shift from v1 to v2 is due to the fact that the C2 servers corresponding to the v1 version were shutdown by a their cloud vendor, so Fodcha's operators had no choice but to re-launch v2 and update C2," the researchers said.

"The new C2 is mapped to more than a dozen IPs and is distributed across multiple countries including the US, Korea, Japan, and India, it involves more cloud providers such as Amazon, DediPath, DigitalOcean, Linode, and many others."

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.