NSFOCUS Reveals New Botnet Family RDDoS

NSFOCUS Reveals New Botnet Family RDDoS

January 16, 2024 | NSFOCUS

1. Introduction of the New Botnet RDDoS

In early November 2023, NSFOCUS’s Global Threat Hunting System detected that an unknown elf file was spreading widely, which aroused our vigilance. After further analysis, we confirmed that this batch of elf samples belonged to a new botnet family. NSFOCUS Security Research Labs named the botnet Trojan as RDDoS.

The main function of the RDDoS is to launch DDoS attacks and it has the ability to execute commands, which further improves its threat. RDDoS also sets online parameters to distinguish the type of infected devices, and at the same time distinguishes real devices and sandboxes by whether the online package carries operating parameters. RDDoS has strong adversarial capabilities.

Monitoring data shows that RDDoS tends to use ICMP_flood method to launch DDoS attacks on targets 24 hours a day, and nearly 80% of attack activities are carried out in this way. In terms of target selection, the first choice for RDDoS was the United States (36%), followed by Brazil (22%) and France (15%). In addition, countries such as China, Germany and the Netherlands were also affected.

Distribution of RDDoS Attack Targets

2. Sample Analysis of Botnet RDDoS

Host-side Behaviors

RDDoS will first change the working directory of the current process to the root directory during operation, and then create a sub-process. If the sub-process is not created successfully, it will exit directly. After the sub-process is created successfully, subsequent functions will continue to be executed in the sub-process.

Initial Phase

There are two ways for the controlled terminal to execute on the victim host, with and without parameters. Different ways determine the content of the online package when it is first launched. It is presumed that the attacker’s intention is to make a corresponding judgment according to the online content. The online parameters can be used to distinguish the type of infected device. In addition, if the online package contains parameters and the parameters are correct, it indicates that the controlled terminal is issued by the attacker; if the controlled terminal does not carry parameters during execution, the “unknown” string will be spliced into the online content, indicating that the Trojan may be in a sandbox environment.

Execution Phase

Online Package Characteristics

In the process of establishing a connection with the control terminal, the controlled terminal will splice the command line parameters as an online package. When no parameter is transmitted, the “unknown” string will be spliced, as shown in the following figure.

Construct On-line Package

The traffic generated when going online is shown in the following figure:

Splicing Packets with Command-Line Parameters

Splicing Packets without Command-Line Parameters

Instruction Analysis

After the online operation is completed, the controlled terminal waits for an instruction issued by the control terminal and judges subsequent operations according to parameters such as instruction length and first-byte value. The implementation process is as follows:

RDDoS Instruction Processing Flow

When the first byte of received data is “0x02”, the bot process terminates; when the first byte of received data is “0x03”, the sub-process created earlier ends; when the first byte of received data is “0x04”, the bot executes the corresponding command through /bin/sh.

Directives

The DDoS function is executed when the data length received by the bot is greater than 13 and the first byte is “0x05”, “0x06”, “0x07”, “0x08” or “0x09”.

Launch DDoS Attack

The DDoS attack instruction is parsed as follows:

Table 1 Instruction Parsing

Receive DataImplicationComment
recv_buf[0]Attack type1 byte to determine the type of attack (e.g. 0x05->UDP, 0x06->ICMP, 0x07->TCP_SYN, 0x08->TCP_ACK, 0x09->TCP_PSH_ACK)
recv_buf[1-4]Destination IP4 bytes, determining the IP address of the target host
recv_buf[5-6]Destination port2 bytes, determine the target host port. If it is 0x0000, it will be randomly generated
recv_buf[7-10]Attack duration4 bytes, determining the attack duration
recv_buf[11-12]Packet length2 bytes, determining the length of data packets sent to the target host
recv_buf[13]Source IP structure1 byte. The value of 1 indicates that the source IP is randomized, and other values indicate that the source IP is the IP address of the controlled host

 

3. Conclusion

The RDDoS is relatively uncomplicated. It is a new botnet family built from scratch. Recently, its controllers have continuously updated and iterated the Trojan to add new DDoS attack methods and improve functions. It is worth noting that it also possesses command execution capabilities, which further increases the level of threat it poses.

In recent years, it has been common for attackers to use botnets as channels and then launch APT or ransomware attacks based on them. We need to strengthen our attention to this type of botnet, as most of the newly emerging botnet families, although appearing to be extremely simple-looking Trojans, may have a constant influx of variants.

We infer that the family will remain active for some time to come, and NSFOCUS Security Research Labs will continue to strengthen its monitoring of this botnet family and the threat actors operating behind it.

NSFOCUS Anti-DDoS solution stands at the forefront of safeguarding organizations against the rising threat of RDDoS attacks. Leveraging a vast database of global threat intelligence and cutting-edge technology, NSFOCUS provides a comprehensive defense mechanism to detect, mitigate, and neutralize  RDDoS threats effectively.

4. IOC

09b8159120088fea909b76f00280e3ebca23a54f2b41d967d0c89ebb82debdbf

7ca0663c88c59b83f26b6ae8664d189a