360Netlab documents the return of the Fodcha DDoS botnet, detailing a renewed version with a dual OpenNIC/ICANN C2 and strong encryption to evade detection, plus large-scale DDoS operations that exceeded tens of thousands of bots and terabit traffic. The post also highlights taunts from the Fodcha operators and provides a technical breakdown of config decryption, C2 discovery, and staged communications. #Fodcha #Netlab360 #OpenNIC #ICANN #xxtea #DDoS #Mirai
Keypoints
- Fodcha re-emerges after a brief takedown, delivering new versions with redesigned C2 infrastructure and encryption.
- The malware uses a dual C2 design: OpenNIC as the primary C2 and ICANN as a backup, forming a redundancy mesh for resilience.
- Config data is encrypted with the xxtea algorithm using the key PJbiNbbeasddDfsc, making IOC extraction harder.
- C2 discovery relies on DNS workflows: the C2 domain is decrypted, then resolved via DNS queries (OpenNIC or ICANN paths).
- Network protocol follows a four-stage process, including key/nonce exchange via ChaCha20 and multi-round authenticated traffic, with a 22-port initial contact surface.
- Fodcha includes sandbox/Debugger checks to evade emulation and debugging environments prior to execution.
- The DDoS capability spans 17 attack methods, with evidence of global targets and sustained, high-volume traffic, including at least one 1 Tbps event.
MITRE Techniques
- [T1027] Obfuscated/Compressed Data – Fodcha encrypts its configuration with the xxtea algorithm and a hardcoded key, concealing settings. [translated quote in English: “xxtea algorithm, the key PJbiNbbeasddDfsc.”]
- [T1497] Sandbox Evasion – The sample performs checks on runtime parameters, network connectivity, LD_PRELOAD, and debugger status, exiting if not satisfied. [translated quote in English: “checks include runtime parameters, network connectivity, whether LD_PRELOAD is set, and whether it is being debugged.”]
- [T1071.004] Application Layer Protocol: DNS – After decrypting C2 data, the bot uses DNS_QUERY to resolve OpenNIC/ICANN C2 domains. [translated quote in English: “C2_GET to obtain a C2 domain name, then DNS_QUERY to resolve it.”]
- [T1483] Domain Generation Algorithms – Fodcha constructs multiple C2 domains (OpenNIC 14 domains and ICANN 4 domains) from decrypted data. [translated quote in English: “There’re 14 OpenNIC C2” and “4 ICANN C2.”]
- [T1036] Masquerading – The malware employs process-name spoofing and other disguise techniques to blend in with host processes. [translated quote in English: “process name spoofing.”]
- [T1499] Endpoint Denial of Service – Fodcha expands DoS capacity with thousands of bots and multi-vector campaigns, including a reported 1 Tbps scale. [translated quote in English: “attack volume exceeds 1 Tbps.”]
Indicators of Compromise
- [Domain] C2 and reporter domains – OpenNIC C2 domains: techsupporthelpars.oss, yellowchinks.geek, yellowchinks.dyn, wearelegal.geek, funnyyellowpeople.libre, chinksdogeaters.dyn, blackpeeps.dyn, pepperfan.geek, chinkchink.libre, peepeepoo.libre, respectkkk.geek, bladderfull.indy, tsengtsing.libre, obamalover.pirate; ICANN C2: cookiemonsterboob.com, forwardchinks.com, doodleching.com, milfsfors3x.com; Reporter: kvsolutions.ru, icarlyfanss.com; OpenNIC API: api.opennicproject.org
- [IP] C2 and related infrastructure – sample IPs: 91.206.93.243, 91.149.232.129, 91.149.232.128, 91.149.222.133, 91.149.222.132, 67.207.84.82, 54.37.243.73, 51.89.239.122, 51.89.238.199
- [MD5] Sample hashes – ea7945724837f019507fd613ba3e1da9, 899047ddf6f62f07150837aef0c1ebfb, 0f781868d4b9203569357b2dbc46ef10
- [Domain] OpenNIC/NIC DNS-related domains – api.opennicproject.org (used in DNS workflows)
Read more: https://blog.netlab.360.com/ddosmonster_the_return_of__fodcha_cn/