This rapidly expanding botnet is launching DDoS attacks left, right and center

By Sead Fadilpašić
published

Researchers found a new botnet with more than 10,000 infected devices

DDoS Attack
(Image credit: Shutterstock)

Researchers from Qihoo 360 have discovered a brand new, gargantuan botnet, capable of launching more than 100 attacks every single day.

The threat actor is targeting devices such as routers, DVRs, and servers with malware (opens in new tab) known as Fodcha. In less than a month, the researchers have discovered, the threat actors managed to infect more than 62,000 devices with the Fodcha malware.

At every point in time, roughly 10,000 devices are being used to launch Distributed Denial of Service (DDoS (opens in new tab)) attacks, using the services of China Unicom (59%) and China Telecom (39%). 

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 (opens in new tab)

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 (opens in new tab). Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey (opens in new tab) to get the bookazine, worth $10.99/£10.99.

Targeting hundreds of victims daily

"Based on direct data from the security community that we worked with, the number of daily live bots are more than 56000," the researchers allegedly said. "The global infection looks fairly big as just in China there are more than 10,000 daily active bots (IPs) and also more than 100 DDoS victims being targeted on a daily basis."

To compromise the endpoints (opens in new tab), the attackers are using a slew of exploits that abuse n-day vulnerabilities in devices and services including Android ADB Debug Server RCE, Realtek Jungle SDK, TOTOLINK Routers, ZHONE Routers, and others.

Furthermore, the botnet targets MIPS, MPSL, ARM, x86, and other CPU architectures. 

Read more

> DDOS attacks: how to prevent and protect your business against them (opens in new tab)

> DDoS attacks could soon be bigger and more dangerous than ever (opens in new tab)

> A new botnet is launching attacks on millions of routers and IoT devices (opens in new tab)

The initial domain used for command-and-control (C2), folded[.]in, was shut down by the vendor, on March 19, the researchers further said. After that, the threat actors migrated to fridgexperts[.]cc.

"The shift from v1 to v2 is due to the fact that the C2 servers corresponding to the v1 version were shutdown by a their cloud vendor, so Fodcha's operators had no choice but to re-launch v2 and update C2," the researchers said.

"The new C2 is mapped to more than a dozen IPs and is distributed across multiple countries including the US, Korea, Japan, and India, it involves more cloud providers such as Amazon, DediPath, DigitalOcean, Linode, and many others."

Via: BleepingComputer (opens in new tab)

Sead Fadilpašić
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

See more Computing news