Malicious traffic floods targeted systems, servers, or networks in Distributed Denial of Service (DDoS) attacks are actively exploited by hackers.
These DDoS attacks are not only used to disrupt services but also as a distraction from other criminal activities, for extortion purposes, to gain a competitive advantage, or even for ideological reasons. When false requests overwhelm resources from various compromised devices simultaneously, legitimate users can be locked out from accessing the affected platform.
Cybersecurity researchers at XLab have recently uncovered that CatDDoS has been taking advantage of more than 80 vulnerabilities and targeting over 300 victims on a daily basis.
According to XLab’s findings, their CTIA system has been monitoring highly active DDoS botnets that have been incessant threats posed by CatDDoS-related groups. These threat actors have exploited over 80 campaign vulnerabilities in the last three months alone. The scale of these attacks is evident from the fact that the number of daily targets exceeded 300 on some occasions.
Over the past few months, CatDDoS-affiliated groups have exploited more than 80 known vulnerabilities, utilizing “Cacti-n0day” and “skylab0day” as parameter names, which could suggest the use of 0-day exploits. These attackers predominantly target victims globally, with a focus on countries like the US, France, Germany, Brazil, and China, and industries such as cloud services, education, research, telecommunications, public administration, and construction.
The CatDDoS botnet, a variant of Mirai known for its cat-related moniker, has been launching multiple short-duration DDoS attacks on entities like Shanghai Network Technology Co., LTD. Despite a source code leak leading to its closure in December 2023, several variations such as RebirthLTD and Komaru have emerged using the compromised code base. These variants share similarities in their code, communication design, and decryption methods, collectively referred to as “CatDDoS-related gangs.”
Active variants like “v-2.0.4” and “v-Rebirth” have utilized OpenNIC domains and chacha20 encryption. Modifications from the original code focused on obfuscation techniques like removing symbols or altering shells to impede analysis. The v-snow_slide variant, attributed to the defunct Aterna group, showed similarities to Fodcha code in terms of output, encryption, C2 domains, and communication protocols.
Instances of “template sharing” among different groups were also discovered, indicating the reuse of similar malware source code with minor adjustments, leading to code homology. Some families used the same chacha20 algorithm with a common key. The C2 infrastructure of certain variants was targeted for DDoS attacks, indicating internal conflicts among operators vying for resources, a common scenario in the IoT botnet landscape.
In conclusion, the CatDDoS botnet and its various iterations continue to pose a significant threat to cybersecurity due to their widespread exploitation of vulnerabilities and persistent DDoS attacks on a global scale. It is imperative for organizations to stay vigilant and implement robust security measures to protect against such malicious activities.