NSFOCUS researchers describe a new botnet family, RDDoS, that can both execute commands and launch DDoS attacks, primarily using ICMP floods, with online parameters used to distinguish infected devices from sandboxes. The report details target distribution (US, Brazil, France) and a step-by-step instruction flow, highlighting sandbox detection and a simple, modular attack mechanism. #RDDoS #NSFOCUS #ICMP_flood #DDoS #UnitedStates #Brazil #France
Keypoints
- RDDoS is a newly identified botnet family built to perform DDoS attacks and to execute commands.
- ICMP flood is the dominant attack method, used around 80% of the time, with attacks occurring continuously.
- Target distribution shows the United States as the top target, followed by Brazil and France.
- RDDoS differentiates infected devices from sandboxes using online parameters and attacker-issued content.
- Host behavior includes changing to the root directory, creating a sub-process, and continuing operations in that sub-process.
- Instruction processing relies on specific first-byte values to control flow, including command execution via /bin/sh and triggering DDoS actions.
MITRE Techniques
- [T1059] Command and Scripting Interpreter β Executes commands including via shell: βthe bot executes the corresponding command through /bin/sh.β
- [T1059.004] Unix Shell β Uses /bin/sh to run commands for attacker-controlled actions: βthe bot executes the corresponding command through /bin/sh.β
- [T1497] Virtualization/Sandbox Evasion β Detects sandbox environments via online parameter handling: ββunknownβ string will be spliced into the online content, indicating that the Trojan may be in a sandbox environment.β
Indicators of Compromise
- [SHA256] RDDoS sample β 09b8159120088fea909b76f00280e3ebca23a54f2b41d967d0c89ebb82debdbf
- [SHA256] RDDoS sample β 7ca0663c88c59b83f26b6ae8664d189a
Read more: https://nsfocusglobal.com/nsfocus-reveals-new-botnet-family-rddos/