DDOSIA Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/ddosia/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Tue, 04 Jul 2023 14:52:17 +0000 en-US hourly 1 https://wordpress.org/?v=86169 200474804 Russian Hacker Project DDoSIA Grew by Multiple Times https://gridinsoft.com/blogs/russian-hacker-project-ddosia/ https://gridinsoft.com/blogs/russian-hacker-project-ddosia/#respond Tue, 04 Jul 2023 14:21:11 +0000 https://gridinsoft.com/blogs/?p=15699 Analysts of the Sekoia company reported that the Russian DDoSia hacker project grew by 2400% in less than a year. That project pays volunteers to participate in attacks on Western organizations. More than 10,000 people are currently involved in the attacks. DDoS-for-hire services became particularly popular over the last years. We recently did the review… Continue reading Russian Hacker Project DDoSIA Grew by Multiple Times

The post Russian Hacker Project DDoSIA Grew by Multiple Times appeared first on Gridinsoft Blog.

]]>
Analysts of the Sekoia company reported that the Russian DDoSia hacker project grew by 2400% in less than a year. That project pays volunteers to participate in attacks on Western organizations. More than 10,000 people are currently involved in the attacks.

DDoS-for-hire services became particularly popular over the last years. We recently did the review of of the most popular ones. And if you are interested in criminal records, Cloudflare Recorded the Most Powerful DDoS Attack in the History of Observations.

What is DDoSIA project?

DDoSIA project appeared back in fall 2022. Then the Radware company announced that the project was launched in August 2022 by the group NoName057(16). The latter, however, appeared only in March 2023, as a pro-Russian hacker group. They created a DDoSia project in Telegram, where the operators posted a link to GitHub with instructions for potential “volunteers”.

These “volunteers” were offered to register via Telegram to receive a ZIP-archive with malware (dosia.exe). Archive contains a unique ID for each user. The most interesting feature of this project was the fact that participants could link their ID with a cryptocurrency wallet and receive money for participating in DDoS attacks. And the payment was proportional to the capacities provided by the concrete participant.

As Sekoia experts say now, the DDoSia platform has grown significantly over the past year and now has about 10,000 active participants who contribute to DDoS attacks. At the same time, more than 45,000 people have already subscribed to the main Telegram channels of hackers (all seven of them). In addition to just comments (what to do with DDoSia ataks), the platform has improved its toolkit and Tebera welcomes banaries for all OS programs, selling audience controls.

How that works?

Registration of new users is fully automated through the Telegram bot, which supports only the Russian language. New participants start by providing a TON (Telegram Open Network) wallet address to receive cryptocurrency, and in response the bot creates a unique client ID and provides a text file for help.

Next, new participants receive a ZIP-archive containing a tool for attacks. As of April 19, 2023, the archive included the following files:

  1. d_linux_amd64 – executable file ELF 64-bit LSB, x86-64;
  2. d_linux_arm — 32-bit executable file ELF LSB, ARM;
  3. d_mac_amd64 — Mach-O x86-64 64-bit executable file;
  4. d_mac_arm64 — Mach-O arm64 64-bit executable file;
  5. d_windows_amd64.exe — executable file PE32+ (console) x86-64 for Microsoft Windows;
  6. d_windows_arm64.exe — executable file PE32+ (console) Aarch64 for Microsoft Windows.

To perform these useful loads, the text file with the client ID must be placed in the same folder as the payloads themselves, which makes it difficult for unauthorized execution of files by IT experts and other «outsiders».

DDoSIA mechanism
Internal mechanism of DDoSIA project

After that, the DDoSia client launches a command line invitation. There, participants receive a list of targets in an encrypted form. They can pick a specific target to attack. Experts studied the 64-bit Windows executable file and found that it is a binary written in Go, using AES-GCM encryption algorithms to communicate with the control server. The C&C server transmits the DDoSia target ID, host IP address, request type, port and other attack parameters to the client in an encrypted form, and all of this is then decrypted locally.

DDoSIA attack code
DDoS attack code

DDoSIA Massively Attacks Lithuania, Ukraine and Poland

Sekoia researchers collected data about some DDoSia targets for the period from May 8 to June 26, 2023, which were communicated by the server controlling the attacks. Basically, the groups and their «volunteers» were organizations from Lithuania, Ukraine and Poland, which accounted for 39% of the total activity of the project.

DDoS attacks graph
Chart of countries attacked by DDoSIA

Analysts noted that DDoSia attacked a total of 486 different sites. In May and June, crooks focused on attacks on educational platforms, possibly to disrupt end-of-school exams. In summary, the DDoSia project has already reached a sufficiently large size to create serious problems for its targets. Who knows what will happen when they will grow even more?

The post Russian Hacker Project DDoSIA Grew by Multiple Times appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/russian-hacker-project-ddosia/feed/ 0 15699
Russian DDOSIA Project Pays Volunteers to Participate in DDOS Attacks on Western Companies https://gridinsoft.com/blogs/ddosia-pays-volunteers/ https://gridinsoft.com/blogs/ddosia-pays-volunteers/#respond Mon, 17 Oct 2022 08:41:57 +0000 https://gridinsoft.com/blogs/?p=11138 Radware experts discovered the DDOSIA crowdsourcing DDoS project, in which a Russian-speaking hack group pays volunteers for participation in attacks on Western organizations. Let me remind you that we also wrote that Ukraine Was Hit by DDoS Attacks from Hacked WordPress Sites, and also that Fake DDoS App Targets Pro-Ukrainian Hacktivists. The researchers note that… Continue reading Russian DDOSIA Project Pays Volunteers to Participate in DDOS Attacks on Western Companies

The post Russian DDOSIA Project Pays Volunteers to Participate in DDOS Attacks on Western Companies appeared first on Gridinsoft Blog.

]]>
Radware experts discovered the DDOSIA crowdsourcing DDoS project, in which a Russian-speaking hack group pays volunteers for participation in attacks on Western organizations.

Let me remind you that we also wrote that Ukraine Was Hit by DDoS Attacks from Hacked WordPress Sites, and also that Fake DDoS App Targets Pro-Ukrainian Hacktivists.

The researchers note that DDoS attacks have long become a powerful weapon in the hands of hacktivists from various countries, because such attacks are easy to organize and carry out, and the damage caused by interruptions in the work of companies and organizations can lead to both financial losses and more serious consequences.

However, usually volunteers involved in DDoS attacks are not rewarded for their “work”, so the discovery of a DDOSIA project is a rather unusual event.

According to Radware, the project was launched in August 2022 by the NoName057(16) group, which appeared in March this year.

This hack group was first mentioned in a September report by Avast, which described a module for DDoS attacks loaded by the Bobik remote access trojan (this malware has been known since 2020 and is distributed by the RedLine stealer). Avast experts observed NoName057(16) for three months, from June to September of this year, and came to the conclusion that the group is carrying out DDoS attacks against Ukrainian organizations, although only about 40% of them are successful.

As Radware analysts now say, relatively recently, the group launched the DDOSIA project on Telegram, where operators posted a link to GitHub with instructions for potential “volunteers”. To date, the group’s main Telegram channel has more than 13,000 subscribers.

Sometimes DDOSIAs attack the same targets set by the pro-Russian hack group KillNet, the researchers say. In particular, they took part in a recent large-scale DDoS attack on major airports in the United States.

DDOSIA pays volunteers

DDOSIA volunteers register via Telegram to receive a ZIP archive with malware (dosia.exe) that contains a unique ID for each user. The most interesting feature of this project is the fact that participants can link their ID to a cryptocurrency wallet and receive money for participating in DDoS attacks. Moreover, payment is proportional to the capacities provided by a particular participant.

DDOSIA pays volunteers
Distribution of “prizes”

The best participants in each wave of attacks receive: 80,000 rubles (approximately $1,255) for first place, 50,000 rubles (approximately $785) for second place, and 20,000 rubles (approximately $315) for third place. In addition, during the attacks on American airports, DDOSIA operators announced that they would distribute additional payments among the Top 10 participants.

Experts summarize that DDOSIA currently has about 400 members and remains a semi-closed invite-only group that regularly attacks more than 60 military and educational organizations.

At the same time, Radware expresses concern that the financial incentive will allow NoName057(16) to attract a lot of volunteers to DDoS attacks, and may set a trend for other DDoS groups.

The post Russian DDOSIA Project Pays Volunteers to Participate in DDOS Attacks on Western Companies appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/ddosia-pays-volunteers/feed/ 0 11138