Fodcha is a rapidly spreading DDoS botnet tracked by CNCERT and 360Netlab, with thousands of live bots and hundreds of victims, using ChaCha20 encryption and a dual C2 infrastructure. The malware propagates via NDay vulnerabilities and Telnet/SSH brute-force, decrypts its config with XOR, and executes a five-step C2 handshake before launching attacks; researchers publish extensive IoCs and sample analyses. #Fodcha #folded.in #fridgexperts.cc #Crazyfia
Keypoints
- Fodcha botnet activity showed a large global presence with more than 62,000 unique bots (IPs) between late March and early April 2022, and daily activity around 10,000 bots.
- In China, bots originate mainly from Shandong, Liaoning, and Zhejiang, with primary service providers being China Unicom, China Telecom, and China Mobile.
- The spread relies on NDay vulnerabilities and weak Telnet/SSH passwords, aided by a brute-force tool (Crazyfia) used to install Fodcha on vulnerable devices.
- The botnet analyzes two versions (v1 and v2); v1 uses plaintext C2 folded.in, while v2 uses ciphertext C2 fridgexperts.cc, with 1:N and N:10 mappings respectively, showing load-balancing and C2 concealment.
- Fodcha decrypts key configurations with a multiple-Xor method, protecting data such as C2 addresses, before establishing contact with C2.
- A complex five-step network handshake accompanies C2 communication, followed by commands like Heartbeat, DDoS, and Exit; the C2 infrastructure shifted around March 19, 2022, to multiple IPs and cloud providers across several countries.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – “Fodcha is mainly spreading through the following NDay vulnerabilities” quote from article. “Fodcha is mainly spreading through the following NDay vulnerabilities and Telnet/SSH weak passwords.”
- [T1110] Brute Force – “a brute-force cracking tool we named Crazyfia appears on the same downloader server of Fodcha… The scan results of this tool will be used by the Fodcha author to install Fodcha samples on the vulnerable devices.” “a brute-force cracking tool we named Crazyfia appears on the same downloader server of FodchaThe scan results of this tool will be used by the Fodcha author to install Fodcha samples on the vulnerable devices.”
- [T1027] Obfuscated/Compressed Files and Information – “Fodcha uses a multiple-Xor encryption method to protect its key configurations such as C2 data.” “Fodcha uses a multiple-Xor encryption method to protect its key configurations such as C2 data.”
- [T1105] Ingress Tool Transfer – “Download Links” with multiple URLs shown in the article. “Download Links”
- [T1071.004] Application Layer Protocol: DNS – “the DNS A record IP of the C2 domain corresponds to the PORT of N:10.” “the DNS A record IP of the C2 domain corresponds to the PORT of N:10.”
Indicators of Compromise
- [MD5 Hashes] – Example hashes: 0e3ff1a19fcd087138ec85d5dba59715, 1b637faa5e424966393928cd6df31849, and 2 more hashes.
- [Domains] – C2 domains: folded.in, fridgexperts.cc.
- [IPs] – Downloader/Command servers: 139.177.195.192, 162.33.179.171.
- [URLs] – Download links: http://139.177.195.192/bins/arm, http://31.214.245.253/bins/arm.
Read more: https://blog.netlab.360.com/fodcha-a-new-ddos-botnet/