The threat actors behind the CatDDoS malware botnet have exploited over 80 known security weaknesses in different applications over the last three months to enter susceptible devices and co-opt them into a botnet for launching distributed denial-of-service (DDoS) assaults.
"CatDDoS-related gangs' samples have used a large number of known vulnerabilities to deliver samples," the QiAnXin XLab team noted. "Additionally, the maximum number of targets has been observed to exceed 300+ per day."
The flaws impact routers, networking gear, and other devices from vendors such as Apache (ActiveMQ, Hadoop, Log4j, and RocketMQ), Cacti, Cisco, D-Link, DrayTek, FreePBX, GitLab, Gocloud, Huawei, Jenkins, Linksys, Metabase, NETGEAR, Realtek, Seagate, SonicWall, Tenda, TOTOLINK, TP-Link, ZTE, and Zyxel, among others.
CatDDoS was originally published by QiAnXin and NSFOCUS in late 2023, identifying it as a Mirai botnet variation capable of executing DDoS attacks utilizing UDP, TCP, and other means.
First emerging in the open in August 2023, the malware got its name due to cat-related allusions such as "catddos.pirate" and "password_meow" in the artifact source code and the command-and-control (C2) domain names.
A majority of the attack targets of the virus are situated in China, followed by the U.S., Japan, Singapore, France, Canada, the U.K., Bulgaria, Germany, the Netherlands, and India, according to information given by NSFOCUS as of October 2023.
Besides employing the ChaCha20 method to encrypt connections with the C2 server, it makes use of an OpenNIC domain for C2 in an effort to elude detection, a tactic previously utilized by another Mirai-based DDoS botnet named Fodcha.
In an unusual twist, CatDDoS also has the same key/nonce pair for the ChaCha20 algorithm as three additional DDoS botnets : hailBot, VapeBot, and Woodman.
XLab stated the assaults are mostly targeted on nations such as the U.S., France, Germany, Brazil, and China, encompassing cloud service providers, education, scientific research, information transmission, public administration, construction, and other businesses.
It's thought that the original writers of the virus shut down their activities in December 2023, but not before putting available the source code for sale in a dedicated Telegram channel.
"Due to the sale or leak of the source code, new variants emerged, such as RebirthLTD, Komaru, Cecilio Network, etc. after the shutdown," the researchers added. "Although the different variants may be managed by different groups, there is little variation in the code, communication design, strings, decryption methods, etc."
Researchers Demonstrate DNSBomb#
The revelation comes as information have surfaced regarding a realistic and effective "pulsing" denial-of-service (PDoS) attack approach called DNSBomb (CVE-2024-33655) that, as the name indicates, uses the Domain Name System (DNS) requests and answers to reach an amplification factor of 20,000x.
The attack, at its heart, capitalizes on lawful DNS features such as query rate limitations, query-response timeouts, query aggregation, and maximum response size parameters to produce timed floods of answers utilizing a maliciously constructed authority and a susceptible recursive resolver.
"DNSBomb exploits multiple widely-implemented DNS mechanisms to accumulate DNS queries that are sent at a low rate, amplify queries into large-sized responses, and concentrate all DNS responses into a short, high-volume periodic pulsing burst to simultaneously overwhelm target systems," Xiang Li, a Ph.D. candidate at the Tsinghua University NISL Lab, said.
"The attack approach comprises IP-spoofing several DNS requests to a domain controlled by the attacker, then delaying answers to aggregate many replies. DNSBomb seeks to overwhelm victims with frequent bursts of amplified traffic that are tough to detect."
The results were presented at the 45th IEEE Symposium on Security and Privacy held in San Francisco last week and before at the GEEKCON 2023 event that took place in Shanghai in October 2023.
The Internet Systems Consortium (ISC), which develops and maintains the BIND software suite, stated it's not susceptible to DNSBomb, adding that the current mitigations are adequate to defend against hazards presented by the assault.