Pierluigi Paganini July 05, 2023

The DDoSia attack tool received an upgrade, it supports a new security mechanism to conceal the list of targets.

Researchers at the cybersecurity firm Sekoia analyzed an updated variant of the DDoSia attack tool that was developed and used by the pro-Russia collective NoName(057)16.

The tool was employed in attacks against Ukraine and NATO countries, including the Eastern Flank (Lithuania, Poland, Czech Republic and Latvia).

Other major targets of DDoS attacks powered with the tool are France, the United Kingdom, Italy, Canada and other EU countries. These countries were targeted because they supported Ukraine both politically, militarily and economically since the beginning of the Russian invasion.

DDoSia relies on NoName057(16)’s Telegram channels for communication, the hacker group used a channel in Russian, counting more than 45,000 subscribers, and a second in English.

Users can join the group through the link hxxps://t[.]me/+fiTz615tQ6BhZWFi and gaining access to 7 different channels.

The tool was initially written in Python, the latest version is written in Golang and was released on 19 April 2023. This new version supports an additional security mechanism to conceal the list of targets.

Sekoia researchers downloaded the project and set up a dedicated attack infrastructure to retrieve the list of targets. Once set up the environment, the experts performed network sniffing to analyze the traffic between the client and the C2.

Upon launching the malware it first authenticates to the C2, then retrieves an encrypted list of targets.

“As a reminder, the client receives a JSON with two fields: an integer, named token and a base64 encoded field, named data. Dynamic analysis allowed for the calculation of all necessary values to decrypt the data” reads the analysis published by Sekoia. “Finally, the ciphertext corresponds to the value of the data field, from which the first 12 and last 32 bytes are removed. Now it is possible to get the value of the data field in plain text.”

Once the data is decrypted, it includes a dictionary in JSON format which is composed in two parts. The first field is called randoms, and the second field is called targets.

“NoName057(16) is making efforts to make their malware compatible with multiple operating systems, almost certainly reflecting their intent to make their malware available to a large number of users, resulting in the targeting of a broader set of victims.” concludes the report. “Sekoia.io analysts assess that strengthening the security of their software is part of NoName057(16)’s efforts to continuously develop their capabilities, almost certainly driven by their active community as well as the increasing scrutiny of their activities from the CTI community. It is highly likely we will observe further developments in the short term.”

Sekoia also published Indicators Of Compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, DDoSia)