DDoS-for-hire services became particularly popular over the last years. We recently did the review of of the most popular ones. And if you are interested in criminal records, Cloudflare Recorded the Most Powerful DDoS Attack in the History of Observations.

What is DDoSIA project?

DDoSIA project appeared back in fall 2022. Then the Radware company announced that the project was launched in August 2022 by the group NoName057(16). The latter, however, appeared only in March 2023, as a pro-Russian hacker group. They created a DDoSia project in Telegram, where the operators posted a link to GitHub with instructions for potential “volunteers”.

These “volunteers” were offered to register via Telegram to receive a ZIP-archive with malware (dosia.exe). Archive contains a unique ID for each user. The most interesting feature of this project was the fact that participants could link their ID with a cryptocurrency wallet and receive money for participating in DDoS attacks. And the payment was proportional to the capacities provided by the concrete participant.

As Sekoia experts say now, the DDoSia platform has grown significantly over the past year and now has about 10,000 active participants who contribute to DDoS attacks. At the same time, more than 45,000 people have already subscribed to the main Telegram channels of hackers (all seven of them). In addition to just comments (what to do with DDoSia ataks), the platform has improved its toolkit and Tebera welcomes banaries for all OS programs, selling audience controls.

How that works?

Registration of new users is fully automated through the Telegram bot, which supports only the Russian language. New participants start by providing a TON (Telegram Open Network) wallet address to receive cryptocurrency, and in response the bot creates a unique client ID and provides a text file for help.

Next, new participants receive a ZIP-archive containing a tool for attacks. As of April 19, 2023, the archive included the following files:

1. d_linux_amd64 – executable file ELF 64-bit LSB, x86-64;
2. d_linux_arm — 32-bit executable file ELF LSB, ARM;
3. d_mac_amd64 — Mach-O x86-64 64-bit executable file;
4. d_mac_arm64 — Mach-O arm64 64-bit executable file;
5. d_windows_amd64.exe — executable file PE32+ (console) x86-64 for Microsoft Windows;
6. d_windows_arm64.exe — executable file PE32+ (console) Aarch64 for Microsoft Windows.

To perform these useful loads, the text file with the client ID must be placed in the same folder as the payloads themselves, which makes it difficult for unauthorized execution of files by IT experts and other «outsiders».

After that, the DDoSia client launches a command line invitation. There, participants receive a list of targets in an encrypted form. They can pick a specific target to attack. Experts studied the 64-bit Windows executable file and found that it is a binary written in Go, using AES-GCM encryption algorithms to communicate with the control server. The C&C server transmits the DDoSia target ID, host IP address, request type, port and other attack parameters to the client in an encrypted form, and all of this is then decrypted locally.

DDoSIA Massively Attacks Lithuania, Ukraine and Poland

Sekoia researchers collected data about some DDoSia targets for the period from May 8 to June 26, 2023, which were communicated by the server controlling the attacks. Basically, the groups and their «volunteers» were organizations from Lithuania, Ukraine and Poland, which accounted for 39% of the total activity of the project.

Analysts noted that DDoSia attacked a total of 486 different sites. In May and June, crooks focused on attacks on educational platforms, possibly to disrupt end-of-school exams. In summary, the DDoSia project has already reached a sufficiently large size to create serious problems for its targets. Who knows what will happen when they will grow even more?

The post Russian Hacker Project DDoSIA Grew by Multiple Times appeared first on Gridinsoft Blog.

Let me remind you that we also wrote that Ukraine Was Hit by DDoS Attacks from Hacked WordPress Sites, and also that Fake DDoS App Targets Pro-Ukrainian Hacktivists.

The researchers note that DDoS attacks have long become a powerful weapon in the hands of hacktivists from various countries, because such attacks are easy to organize and carry out, and the damage caused by interruptions in the work of companies and organizations can lead to both financial losses and more serious consequences.

However, usually volunteers involved in DDoS attacks are not rewarded for their “work”, so the discovery of a DDOSIA project is a rather unusual event.

According to Radware, the project was launched in August 2022 by the NoName057(16) group, which appeared in March this year.

This hack group was first mentioned in a September report by Avast, which described a module for DDoS attacks loaded by the Bobik remote access trojan (this malware has been known since 2020 and is distributed by the RedLine stealer). Avast experts observed NoName057(16) for three months, from June to September of this year, and came to the conclusion that the group is carrying out DDoS attacks against Ukrainian organizations, although only about 40% of them are successful.

As Radware analysts now say, relatively recently, the group launched the DDOSIA project on Telegram, where operators posted a link to GitHub with instructions for potential “volunteers”. To date, the group’s main Telegram channel has more than 13,000 subscribers.

Sometimes DDOSIAs attack the same targets set by the pro-Russian hack group KillNet, the researchers say. In particular, they took part in a recent large-scale DDoS attack on major airports in the United States.

DDOSIA volunteers register via Telegram to receive a ZIP archive with malware (dosia.exe) that contains a unique ID for each user. The most interesting feature of this project is the fact that participants can link their ID to a cryptocurrency wallet and receive money for participating in DDoS attacks. Moreover, payment is proportional to the capacities provided by a particular participant.

Distribution of “prizes”

The best participants in each wave of attacks receive: 80,000 rubles (approximately $1,255) for first place, 50,000 rubles (approximately $785) for second place, and 20,000 rubles (approximately $315) for third place. In addition, during the attacks on American airports, DDOSIA operators announced that they would distribute additional payments among the Top 10 participants.

Experts summarize that DDOSIA currently has about 400 members and remains a semi-closed invite-only group that regularly attacks more than 60 military and educational organizations.

At the same time, Radware expresses concern that the financial incentive will allow NoName057(16) to attract a lot of volunteers to DDoS attacks, and may set a trend for other DDoS groups.

The post Russian DDOSIA Project Pays Volunteers to Participate in DDOS Attacks on Western Companies appeared first on Gridinsoft Blog.