HTTP bombing and target list encryption – DDoSia malicious toolkit has been updated to a new version

The attackers behind the development of the DDoSia malware tool have developed a new version of the malware that includes an updated mechanism for obtaining a list of targets to bombard them with unwanted HTTP requests.

An updated version written in the language Go“implements an additional security mechanism to hide the list of targets that is passed from C2 servers hackers directly to users, ”said in technical report cyber security company Sekoia.

DDoSia is attributed to a hacker group called NoName (057)16, allegedly having ties to Russia and acting in its interests. Launched in 2022 and successor to the botnet BobikDDoSia tool, according to the data Avast is designed to organize distributed denial of service attacks (DDoS) against targets located in different parts of the world.

Lithuania, Poland, Italy, Czech Republic, Denmark, Latvia, France, United Kingdom and Switzerland were the countries that suffered the most attacks between May 8 and June 26, 2023. A total of 486 different websites were affected.

To date, DDoSia implementations based on Python And golangwhich makes it a cross-platform program capable of being used on systems Windows, linux And macOS.

“DDoSia is a multi-threaded application that performs denial of service attacks against target sites by repeatedly issuing network requests,” explained specialists SentinelOne in an analysis published in January 2023. “DDoSia issues requests according to the instructions in the configuration file that the malware receives from the C2 server on startup.”

DDoSia is distributed using a fully automated Telegram– a bot that allows individuals to register in a crowdsourcing initiative by receiving a ZIP archive containing attack tools in exchange for a cryptocurrency payment.

What is notable about the latest version of the toolkit is the use of encryption to mask the list of targets to be attacked, making it difficult for cybersecurity experts to analyze, and also indicating that the tool is actively maintained by operators.

“NoName057 (16) is making efforts to make its malware compatible with multiple operating systems, which almost certainly reflects their intent to hit as many victims as possible,” Sekoia said.