Keypoints
- NoName057 has been active since March 2022, focusing DDoS attacks on targets with anti‑Russian sentiment.
- In November 2024 they collaborated with other pro‑Russian groups to attack South Korean government websites after remarks about weapons supplies to Ukraine.
- The group leverages an automated botnet tool named DDoSia to orchestrate and scale attacks.
- DDoSia requires a client_id.txt for authentication and connects to frequently changing command‑and‑control servers.
- C&C commands observed include http, http2, tcp, and nginx_loris, and the C&C uses random User‑Agent strings to evade detection.
- Participants in attacks are incentivized with cryptocurrency rewards for successful participation.
- NoName057 promotes and coordinates operations through a popular Telegram channel.
MITRE Techniques
- [T1071] Command and Control – Uses multiple command and control domains/servers to maintain communication with bots and issue attack commands (‘Utilizes multiple command and control domains to maintain communication with compromised systems.’)
- [T1498] Network Denial of Service – Executes distributed denial-of-service operations (DDoS) to disrupt web services and exert pressure (‘Conducts DDoS attacks to disrupt services and cause chaos.’)
Indicators of Compromise
- [IP] C&C / attack infrastructure examples – 45.152.115.205, 62.60.237.103, and 2 more IPs
- [File Hash] DDoSia samples and related binaries – 0d5cac778ec1f9a1471e0d78742d3fe9, 161b8fcfc27636c51890a7c84644844a, and 3 more hashes
- [File Name] Bot authentication artifact – client_id.txt (used by DDoSia for authentication to C&C)
Read more: https://asec.ahnlab.com/en/84531/ – get from article