Pierluigi Paganini
May 26, 2023
Researchers from Akamai discovered a new botnet called Dark Frost that was employed in distributed denial-of-service (DDoS) attacks.
The botnet borrows code from several popular bot families, including Mirai, Gafgyt, and Qbot.
The Dark Frost botnet was used to target gaming companies, game server hosting providers, online streamers, and even other members of the gaming community who the threat actor interacted with directly.
The researchers first gathered a Dark Frost binary sample on February 28, 2023, that targeted one of its HTTP honeypots. The threat actors were attempting to exploit a remote code execution (RCE) in misconfigured Hadoop YARN servers. The experts highlight that the vulnerability exploited in the attacks has been in existence since 2014.
According to a screenshot taken by the malware author, the botnet was composed of at least 414 machines as of February 2023. Most of the infected machines are based on ARMv4 architectures, specifically MIPSEL and x86.
The botnet operators compiled the bot code specifically for ARMv4 and ARMv7 because ARMv4 is compatible with ARMv5 and ARMv6, this means that the malware can also target modern ARMv7 architecture.
The analysis of the bot revealed that the malware supports eight total attacks, including UDP and TCP, and more curious ones, such as zgoflood.
Akamai researchers estimated that the botnet can launch DDoS attacks of approximately 629.28 Gbps through a UDP flood attack.
“To continue the benchmark correctly, we had to start launching these attacks at the loopback to avoid fragmentation and listen on the loopback interface to re-measure (Table 2).” reads the analysis published by Akamai.
| Packet size | Packets captured | Total size | Output |
|---|---|---|---|
| 1,024 | 1,659,840 | 1.4G | 1.12 Gbps |
| 2,048 | 1,445,158 | 1.9G | 1.52 Gbps |
| 4,096 | 828,681 | 1.9G | 1.52 Gbps |
| 8,192 | 432,884 | 1.8G | 1.44 Gbps |
“As you can see, the optimal size for maximum output becomes 2,048. After this point, the number of packets getting sent drops significantly. This is likely due to the fact that the UDP packets are getting padded with “U” characters to make it the desired length, and this operation likely slows things down at larger sizes. With 1.52 Gbps as our new single node benchmark, we can multiply this by the number of nodes in the botnet as of February 2023 (414) to come out with 629.28 Gbps.”
Threat actors behind this botnet are active since at least May 2022, they published live recordings of their attacks to demonstrate the capabilities of the botnet.
The attackers set up a website to track requests and a discord channel to manage their DDoS-for-hire service.
“The reach that these threat actors can have is staggering despite the lack of novelty in their techniques. Although not the most advanced or mind-bending adversary, the Dark Frost botnet has still managed to accumulate hundreds of compromised devices to do its bidding.” concludes the report.
We are in the final!
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini
Please nominate Security Affairs as your favorite blog.
Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, RCE)
Cyber Crime / November 30, 2023