Threat Research

Pro-Russian Group Targeting Ukraine Supporters with DDoS Attacks – Avast Threat Labs

Securonix

Avast Threat Labs details Bobik, a .NET Remote Access Trojan that now functions as a DDoS module within a botnet used by the pro-Russian group NoName057(16) to target Ukraine and nearby countries. The report maps the botnet’s C2 infrastructure, the multi-stage deployment chain, target selection, and observed impact, tying the activity to NoName057(16) and outlining defensive implications. #Bobik #NoName057(16) #RedLineStealer #DDoS #Killnet

Keypoints

  • NoName057(16) is identified as the operator behind Bobik’s DDoS campaigns, targeting Ukraine, neighboring states, and countries with anti-Russian views.
  • Bobik is a .NET RAT that now includes a DDoS module and propagates via a botnet built with RedLine Stealer Cryptic as the dropper.
  • Bobik’s C2s and HTTP-based communications are hosted on Russian and Romanian servers; several production servers exist, with one development server also noted.
  • The deployment chain involves Bobik’s Updater dropped by RedLine Stealer Cryptic, which then drops Bobik’s RuntimeBroker and persists to enable attacks.
  • XML-based C2 configuration defines DDoS targets and is updated multiple times per day; requests to C2 use a simple unsecured HTTP protocol.
  • Observed attacks include high-profile targets (Estonia central bank, Lithuanian and Polish targets, Polish government sites, and Poznań-Ławica Airport) with a reported but variable success rate (roughly 25–40%).
  • Avast’s telemetry suggests a botnet of a few hundred bots, likely thousands in the wild, with many targets protected by anti-DDoS measures or moving to cloud-based defenses.

MITRE Techniques

  • [T1071] Web Protocols – The bots communicate with C2 over HTTP via unsecured requests; “The communication between Bobik bots and the C&C servers is mediated using a simple unsecured HTTP request and response via the Nginx web server.”
  • [T1055] Process Injection – Bobik’s RuntimeBroker is injected into another process; “injected into the newly created process of the .NET ClickOnce Launch Utility (AppLaunch.exe)”;
  • [T1027] Obfuscated/Compressed Files and Information – The RedLine Stealer Cryptic installer deobfuscates the .NET payload and helps drop Bobik components; “The RedLine Stealer Cryptic (installer) deobfuscates the .NET payload of Bobik’s Updater…”
  • [T1105] Ingress Tool Transfer – The final DDoS module deployment flows through Bobik’s Updater dropped by RedLine Stealer; “The first executes Bobik’s Updater via a RedLine Stealer bot. In the second stage, Bobik’s Updater extracts and drops the final DDoS module…”
  • [T1082] System Information Discovery – Bobik collects system information to generate a victim-specific ID used in communications; “Win32_DiskDrive, Win32_Processor, Win32_BaseBoard, etc.”
  • [T1056.001] Keylogging – Bobik’s spyware includes keylogging among its capabilities; “spyware functionalities include keylogging, running and terminating processes, collecting system information, downloading/uploading files…”

Indicators of Compromise

  • [IP Address] – 2.57.122.243 (Romania) — last active Bobik C2 server; DNS records include v9agm8uwtjmz.sytes.net and q7zemy6zc7ptaeks.servehttp.com
  • [IP Address] – 2.57.122.82 (Romania) — another C2 server; communication deactivated around July 14, 2022; responds with 502 HTTP; same DNS as Server 1
  • [IP Address] – 77.232.41.206 (Russia) — early Bobik C2 server; ports 80/443 observed; offline for botnet use
  • [IP Address] – 109.107.181.130 (Russia) — suspected development C2 server; active since April; listening on port 5001
  • [Domain] – v9agm8uwtjmz.sytes.net; q7zemy6zc7ptaeks.servehttp.com — DNS records used by C2s
  • [Domain] – sytes.net, servehttp.com — DNS domains observed in C2 infrastructure
  • [Hash] – AEF97F87751C863548359181B65B60EE86A7D44724040229CDE4622C99AB0B59; 67F5318073F09F03E762BF727015384589F00282EA26B1798C10581B8DC27F52; B5B72AEBEC4E2E9EE0DAC37AC77EBFB679B6EC6D7EE030062ED9064282F404A7 — example SHA-256 identifiers used in update requests
  • [URL] – http://2.57.122.82/d380f816-7412-400a-9b64-78e35dd51f6e/update?id=AEF97F87751C863548359181B65B60EE86A7D44724040229CDE4622C99AB0B59&v=17&pr=1
  • [Port] – 80, 443, 5001 — ports used by C2 servers and development server
  • [Certificate] – self-signed certificates on C2 servers
  • [File] – RuntimeBroker.exe, Updater.exe, and other Bobik components deployed via the XML config

Read more: https://decoded.avast.io/martinchlumecky/bobik/?utm_source=rss&utm_medium=rss&utm_campaign=bobik

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint