Project DDOSIA Russia's answer to disBalancer


October 13, 2022 11:56 AM

Inspired by Newton's third law of physics, NoName057(16) published a Manifesto in July denouncing the West for waging an open information war against Russia. They consider their cyberattacks to be the reaction to western "Russophobia" and western actions against Russia.

Read the Complete Alert
 

In July, threat group NoName057(16) quietly launched a crowdsourced botnet project named 'DDOSIA.' The project, similar to the pro-Ukrainian Liberator by disBalancer and the fully automated DDoS bot project by the IT ARMY of Ukraine, leverages politically-driven hacktivists willing to download and install a bot on their computers to launch denial-of-service attacks. Project DDOSIA, however, raises the stakes by providing financial incentives for the top contributors to successful denial-of-service attacks.

Background

NoName057(16) is a pro-Russian threat group known for launching defacement and DDoS attacks against Ukraine and those that directly or indirectly support Ukraine. The group formed in March of 2022 on Telegram and became a notable threat group by June. Since then, the group has gathered a following of nearly 13,000 subscribers.

Over the last few months, Noname057(16) has been operating in support of Killnet operations. Most recently, the group worked in parallel with Killnet during their campaign against civilian network infrastructure in the United States. During the operation, threat group NoName057(16) posted an invite link to a Telegram channel named 'DDOSIA Project' and also reposted the Killnet target list for U.S. airports in the same channel.

NONAME057(16) MANIFESTO

Inspired by Newton's third law of physics, NoName057(16) published a Manifesto in July denouncing the West for waging an open information war against Russia. They consider their cyberattacks to be the reaction to western "Russophobia" and western actions against Russia.

PROJECT BOBIK

On September 6, Avast published a report linking Bobik, a Remote Access Trojan (RAT) first discovered in 2020, infections to the threat group NoName057(16). Bobik, often dropped via information stealers such as RedLine Stealer, downloads a second-stage DDoS module that the threat group leveraged in DDoS attacks.

Avast was able to correlate the attacks performed by the newly discovered Bobik campaign to attacks claimed by NoName057(16). After monitoring attack activity between June and September, Avast concluded that successful attacks claimed by NoName057(16) make up only about 40% of their attempted attacks. The success of the group's attacks seemed to depend on the quality of protection of the targeted organization. Avast's evidence suggested that well-secured networks and applications could withstand attacks from the group's Bobik-based botnet.

Project DDOSIA

Mid-August, while publishing their manifesto, NoName057(16) simultaneously disclosed their 'special software' that will assist them in conducting DDoS attacks. Over the following days, the group provided more information about their 'special software' named DDOSIA and instructions on using it to contribute to the fight against Western Russophobes.

Instructions, publicly available at dddosia.github.io, explain how potential contributors can register through Telegram to receive a ZIP archive containing a Windows bot binary named 'dosia.exe' and a unique identifier file with the name 'client_id.txt.' The unique identifier allows the contributor to create a bragging alias while registration of a cryptocurrency wallet is required to receive potential financial rewards at a later phase in the project.

After the bot agent 'dosia.exe' is executed on a contributor's Windows machine, the bot registers itself with the command-and-control (C2) infrastructure of the authors. Subsequently, the C2 servers feed the bot with a list of targets, after which the malicious software begins attacking the provided targets with TLS encrypted Layer 7 and TCP-SYN denial-of-service attacks. Users who experience issues with the bot are invited to write a message to the authors at 05716nnm@proton[.]me with ‘Bot does not work' as subject.

Continue Reading...

Click here to read the full ERT Threat Alert.

Read the full threat alert now

 

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Locations
Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

Get Social

Connect with experts and join the conversation about Radware technologies.

Blog
Security Research Center
CyberPedia
Events