Threat Research

New MDBotnet Unleashes DDoS Attacks – Cyble

Securonix

CRIL uncovered MDBotnet, a Russian-linked malware strain designed to carry out DDoS attacks using HTTP/SYN flood techniques. The malware uses a multi-stage update and persistence mechanism, downloading updater and bot components from a C2 and then executing commands to perform ongoing attacks. Hashtags: #MDBotnet #SlavaRussia

Keypoints

  • MDBotnet was discovered on a cybercrime forum and is linked to a Russian threat actor.
  • The sample is a GUI-based 32-bit .NET executable named SlavaRussia.exe that performs DDoS-related functions.

MITRE Techniques

  • [T1105] Ingress Tool Transfer – The malware downloads the Updater.exe and svhost.exe from the C2. “The ‘Updater.exe’ file is responsible for downloading the most recent version of the MDBotnet executable (‘svhost.exe’) from the server.”
  • [T1547] Registry Run Keys / Startup Folder – Persistence is achieved by creating a registry key to auto-launch svhost.exe at startup. “Persistence: Then, the botnet creates a registry key that ensures the “svhost.exe” runs automatically during startup.”
  • [T1497] Masquerading – The main MDBotnet binary is named SlavaRussia.exe, indicating intentional disguise. “The main function of the MDBotnet executable, named ‘SlavaRussia.exe,’ is responsible for performing the malicious activities…”
  • [T1057] Process Discovery – The malware retrieves the path of the %APPDATA% folder to locate Updater.exe. “the malware retrieves the path of the %appdata% folder and verifies the presence of a specific file named ‘Updater.exe’ within that directory.”
  • [T1012] Query Registry – Discovery includes registry queries as part of reconnaissance. “Discovery: Process Discovery; Query Registry; File and Directory Discovery.”
  • [T1083] File and Directory Discovery – The malware discovers files in the system (e.g., checking for Updater.exe in AppData). “File and Directory Discovery” mentioned alongside other discovery techniques.
  • [T1571] Non-Standard Port – C2 communication occurs on a non-standard port (212.109.199.128:4202). “IP: Port” in IOCs shows 212.109.199.128:4202.

Indicators of Compromise

  • [MD5] 46a3d4f752c48faa8b615d58d6160f25 – SlavaRussia.exe (MDBotnet)
  • [SHA1] c0b83405c5c9e238c2cd3bc0fc2def2a3901c966 – SlavaRussia.exe (MDBotnet)
  • [SHA256] ae582545c3196afa5ac6419db9d57b11633e8282f29e3cd48fe31b9dd250a963 – SlavaRussia.exe (MDBotnet)
  • [IP] 212.109.199.128:4202 – C2
  • [File Name] SlavaRussia.exe – main MDBotnet binary
  • [File Name] svhost.exe – MDBotnet component downloaded by Updater.exe
  • [File Name] Updater.exe – MDBotnetUpdater used to fetch latest svhost.exe

Read more: https://blog.cyble.com/2023/05/23/new-mdbotnet-unleashes-ddos-attacks/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint