A Russian threat group is offering incentives and cryptocurrency prizes in an effort to recruit Dark Web volunteers — who it calls “heroes” — to its distributed denial-of-service (DDoS) cyberattack ring.
A group tracked as NoName057(16) has launched the project, called DDosia, which aims at bolstering an earlier effort to mount DDoS attacks on websites in Ukraine and pro-Ukrainian countries. However, rather than try to do all the work themselves, DDosia “entices people to join their efforts by offering prizes for the best performers, paying rewards out in cryptocurrencies,” Avast researcher Martin Chlumecký wrote in a post on the Avast.io “Decoded” blog published Jan. 11.
Avast researchers first identified NoName057(16) in September, when they observed Ukraine-targeted DDoS attacks that the group was carrying out using botnets. The campaign specifically targeted websites belonging to governments, news agencies, armies, suppliers, telecommunications companies, transportation authorities, financial institutions, and more in Ukraine, as well as in neighboring countries supporting Ukraine, such as Estonia, Lithuania, Norway, and Poland.
A remote access Trojan (RAT) called Bobik was instrumental in carrying out the DDoS attacks for the group in the original attack, which had a success rate of 40 percent using the malware, the researchers said.
However, the group ran into a hitch in their plans when the botnet was taken down in early September, according to the group’s Telegram channel, the researchers said. NoName057 subsequently launched DDosia to target the same set of pro-Ukraine entities on Sept. 15 as a response to this setback, they said.
“By launching the DDosia project, NoName057(16) tried to create a new parallel botnet to facilitate DDoS attacks,” Chlumecký wrote in the post. The project also represents a pivot to a public, incentive-based DDoS effort versus the more secretive Bobik botnet, the researchers said.
DDosia Technical Details
The DDosia client is comprised of a Python script created and controlled by NoName057(16). The DDosia tool is only available for verified/invited users via a semiclosed Telegram group — unlike the Babik malware, the researchers said. Another differentiator between the two efforts is that DDosia appears to have no additional backdoor activity, they noted. Bobik on the other hand offers extensive spyware capabilities, including keylogging, running and terminating processes, collecting system information, downloading/uploading files, and dropping further malware onto infected devices.
To become a DDosia member, a volunteer must through a registration process facilitated by the @DDosiabot in the dedicated Telegram channel, the researchers said. After registering, members receive a DDosia zip file that includes an executable.
NoName057(16) also “strongly recommends” that volunteers use a VPN client, “connecting through servers outside of Russia or Belarus, as traffic from the two countries is often blocked in the countries the group targets,” Chlumecký wrote.
The principal DDosia C2 server used in the DDosia campaign was located at 109. 107. 181. 130; however, it was taken down on Dec. 5, researchers said. Because NoName057(16) continues to actively post on its Telegram channel, the researchers assume it must have another botnet, they said.
The DDosia application has two hardcoded URLs that are used to download and upload data to the C2 server. The first one is used to download a list of domain targets that will be attacked, while the second one is used for statistical reporting, the researchers said.
DDosia sends the list of targets to the botnet as an uncompressed and unencrypted JSON file with two items: targets and randoms, the researchers said.
“The former contains approximately 20 properties that define DDoS targets; each target is described via several attributes: ID, type, method, host, path, body, and more,” Chlumecký wrote. “The latter describes how random strings will look via fields such as: digit, upper, lower, and min/max integer values.”
DDosia also generates random values at runtime for each attack, likely because attackers want to randomize HTTP requests and make each HTTP request unique for a better success rate, the researchers said.
Rewarding DDoS “Heroes”
The most important new aspect of DDoS attacks is the possibility of volunteers who get involved in the campaign being rewarded, the researchers said. Via one of the aforementioned technical aspects of how DDosia works, NoName057(16) collects statistical information about performed attacks and successful attempts by its network of volunteers, which it calls “heroes,” they said.
NoName057(16) pays out these heroes — who Chlumecký noted can “easily” manipulate the statistics for success — in cryptocurrency sums of up to thousands of rubles, or the equivalent of hundreds of dollars.
DDosia: Looming Potential for Disruption
Currently, the success rate of the DDosia campaign is lower than the previous Bobik campaign, with around 13% of all of attempted attacks disrupting targets, the researchers said.
However, the project “has the potential to be a nuisance when targeted correctly,” Chlumecký wrote. The group currently has about 1,000 members; however, if that rises, researchers expect its success rate also to grow, they said.
“Therefore, the successful attack depends on the motivation that NoName057(16) provides to volunteers,” Chlumecký explained.
The researchers estimate that one DDosia “hero” can generate about 1,800 requests per minute using four cores and 20 threads, with the speed of request generation depending on the quality of the attacker’s Internet connection. Assuming that at least half of the current membership base is active, this means that the total count of requests to defined targets can be up to 900,000 requests per minute, the researchers said.
“This can be enough to take down Web services that do not expect heavier network traffic,” Chlumecký noted. Meanwhile, “servers that expect a high network activity load are more resilient to attacks,” he added.
“Given the evolving nature of DDosia and its fluctuating network of volunteers, only time will tell how successful DDosia ultimately will be,” Chlumecký said.
Indeed, Russia’s attack on Ukraine in February 2022 has driven DDoS attacks to an all-time high, allowing attackers to cause digital and IT-related disruption in a cyberwar that’s been mounted alongside the ground war since it began.
NonName057(16) are among a number of threat groups perpetrating these attacks, albeit one of the less sophisticated ones whose attacks at this point remain low-impact and cause little significant damage, the researchers said.
Chlumecký likened the group to another pro-Russia threat actor Killnet, whose activities are aimed at drawing media attention: “NoName057(16) activities are still more of a nuisance than dangerous.”