Beware of DDosia, a botnet created to facilitate DDoS attacks

Emma McGowan 16 Jan 2023

The hacker group targets a wide range of organizations, including courts, banks, educational institutions, government agencies, and transport services.

The DDosia project is a successor of the Bobik botnet linked to the pro-Russian hacker group called NoName(057)16, as revealed in a recent analysis by Avast researcher Martin Chlumecky. The group targets DDoS attacks on private and public organizations in Ukraine, Poland, Latvia, Lithuania, Czechia, and other European countries.

“Right from the beginning of the Ukraine war, we saw an increase in DDoS activity via the Bobik malware, so infected victims did not know their computer was making DDoS attacks. However, NoName057(16) has changed their philosophy and publicly calls on social media for people to engage as hacktivists and download the DDosia tool to take down sites with anti-Russian and Russophobic content,” Chlumecky says.

The latest analysis of the DDosia project, conducted between August 1 and November 30, 2022, revealed that the hacker group has set up the DDosia project as a backup plan, in case the Bobik Command and control (“C&C”) server is taken down. The Bobik botnet server was indeed taken down at the beginning of September.

The research also revealed that the hacker group targets a wide range of organizations, including courts, banks, educational institutions, government agencies, and transport services. In total, Avast observed roughly 1,400 DDoS attack attempts by DDosia project members, with 190 of them being successful, giving the group a success rate of approximately 13%.

The success rate of attacks increased in November, likely due to targeting multiple sub-domains belonging to the same primary domain. For example, the hackers targeted subdomains belonging to the domain, most of which run on the same platform, increasing their chances of taking down selected servers.

Telegram being used as a malicious platform

NoName(057)16 also has a dedicated, private Telegram channel with about 1,300 followers, which they refer to as “heroes”. These “heroes” can link a crypto wallet and earn up to 80,000 Russian rubles (~$1,200 USD) in cryptocurrencies for the successful DDoS attacks they carry out.

“Without great technical knowledge, members of the DDosia group can earn up to 80,000 Russian rubles (about 1,200 USD) in cryptocurrencies for successful DDoS attacks,” Chlumecky says. “Thus, the motivation moves from political to financial aspects. The hacker group NoName(057)16 uses this financial incentive to increase its success rate and thus make a name for itself in the hacker community – political motivation may play only a subordinate role for many, both at the level of the project heads and among the participating users.'

It should be noted that the communication between hackers and “heroes” is unencrypted and unauthenticated, allowing anyone to manipulate their performance statistics. Avast also detected a handful of users attempting to download the DDosia executable, but noticed Avast users across Russia as well as users in Canada and Germany adding the program to Avast AV’s exceptions list.

“While it may be tempting for many people to join these cyber groups to boost their finances, it is still a cyberattack with all the consequences – including legal consequences,” Chlumecky says.” That should be clear to everyone.”

Want to know more about the DDosia project? We’ve taken an in-depth look at it on Decoded.

--> -->