DDoS-for-hire services became particularly popular over the last years. We recently did the review of of the most popular ones. And if you are interested in criminal records, Cloudflare Recorded the Most Powerful DDoS Attack in the History of Observations.

What is DDoSIA project?

DDoSIA project appeared back in fall 2022. Then the Radware company announced that the project was launched in August 2022 by the group NoName057(16). The latter, however, appeared only in March 2023, as a pro-Russian hacker group. They created a DDoSia project in Telegram, where the operators posted a link to GitHub with instructions for potential “volunteers”.

These “volunteers” were offered to register via Telegram to receive a ZIP-archive with malware (dosia.exe). Archive contains a unique ID for each user. The most interesting feature of this project was the fact that participants could link their ID with a cryptocurrency wallet and receive money for participating in DDoS attacks. And the payment was proportional to the capacities provided by the concrete participant.

As Sekoia experts say now, the DDoSia platform has grown significantly over the past year and now has about 10,000 active participants who contribute to DDoS attacks. At the same time, more than 45,000 people have already subscribed to the main Telegram channels of hackers (all seven of them). In addition to just comments (what to do with DDoSia ataks), the platform has improved its toolkit and Tebera welcomes banaries for all OS programs, selling audience controls.

How that works?

Registration of new users is fully automated through the Telegram bot, which supports only the Russian language. New participants start by providing a TON (Telegram Open Network) wallet address to receive cryptocurrency, and in response the bot creates a unique client ID and provides a text file for help.

Next, new participants receive a ZIP-archive containing a tool for attacks. As of April 19, 2023, the archive included the following files:

1. d_linux_amd64 – executable file ELF 64-bit LSB, x86-64;
2. d_linux_arm — 32-bit executable file ELF LSB, ARM;
3. d_mac_amd64 — Mach-O x86-64 64-bit executable file;
4. d_mac_arm64 — Mach-O arm64 64-bit executable file;
5. d_windows_amd64.exe — executable file PE32+ (console) x86-64 for Microsoft Windows;
6. d_windows_arm64.exe — executable file PE32+ (console) Aarch64 for Microsoft Windows.

To perform these useful loads, the text file with the client ID must be placed in the same folder as the payloads themselves, which makes it difficult for unauthorized execution of files by IT experts and other «outsiders».

After that, the DDoSia client launches a command line invitation. There, participants receive a list of targets in an encrypted form. They can pick a specific target to attack. Experts studied the 64-bit Windows executable file and found that it is a binary written in Go, using AES-GCM encryption algorithms to communicate with the control server. The C&C server transmits the DDoSia target ID, host IP address, request type, port and other attack parameters to the client in an encrypted form, and all of this is then decrypted locally.

DDoSIA Massively Attacks Lithuania, Ukraine and Poland

Sekoia researchers collected data about some DDoSia targets for the period from May 8 to June 26, 2023, which were communicated by the server controlling the attacks. Basically, the groups and their «volunteers» were organizations from Lithuania, Ukraine and Poland, which accounted for 39% of the total activity of the project.

Analysts noted that DDoSia attacked a total of 486 different sites. In May and June, crooks focused on attacks on educational platforms, possibly to disrupt end-of-school exams. In summary, the DDoSia project has already reached a sufficiently large size to create serious problems for its targets. Who knows what will happen when they will grow even more?

The post Russian Hacker Project DDoSIA Grew by Multiple Times appeared first on Gridinsoft Blog.

ekoia experts report that a new infostealer, Stealc, has appeared on the darknet, and is gaining popularity among criminals due to aggressive advertising and similarities to malware such as Vidar, Raccoon, Mars, and Redline.

Let me remind you that we also wrote that Djvu Ransomware Spreads via Discord, Carrying RedLine Stealer, and also that NetSupport and Raccoon Stealer malware spreads masked as Cloudflare warnings.

Also information security specialists reported that Raccoon malware steals data from 60 different applications.

For the first time, analysts noticed the advertisement of the new malware back in January, and in February it began to actively gain popularity.

On hack forums and Telegram channels, Stealc is advertised by someone under the nickname Plymouth. He says that the malware is a “non-resident stealer with flexible settings and a convenient admin panel.”

Advertisement Stealc

In addition to the usual targeting of data from browsers, extensions and cryptocurrency wallets for such malware (the malware targets 22 browsers, 75 plugins and 25 desktop wallets), Stealc can also be configured to capture certain types of files that the malware operator wants to steal.

Configuration Instructions for Browser Attacks

The advertisement notes that when developing Stealc, its authors relied on solutions already existing “on the market”, including Vidar, Raccoon, Mars and Redline.

Sekoia analysts noticed that Stealc, Vidar, Raccoon, and Mars have in common that they all load legitimate third-party DLLs (eg sqlite3.dll, nss3.dll) to steal sensitive data. The researchers also say that the organization of communication with the control server of one of the samples of the new stealer they analyzed is similar to Vidar and Raccoon.

In total, the researchers identified more than 40 Stealc C&C servers and several dozen malware samples. According to them, this indicates that the new malware has aroused considerable interest among the cybercriminal community.

Malware development

One of Stealc’s distribution methods that researchers have already discovered is YouTube videos that describe how to install the cracked software and contain links to download sites. In such programs, a stealer is built in, which starts working and communicates with the control server after the installer is launched.

Site distributing stealer

According to experts, hacker clients with access to the Stealc administration panel can generate new stealer samples, and this increases the chances of the malware leaking and making it available to a wider audience in the future.

The post Cybersecurity Experts Discovered a New Stealc Infostealer appeared first on Gridinsoft Blog.

The attackers have created a cross-platform malicious version of the Chinese messenger MiMi (秘密, “secret” in Chinese), and use it to attack Windows, Linux, and macOS users.

Let me remind you that we also wrote that Chinese Hackers Use Ransomware As a Cover for Espionage, and also that Chinese hackers use Zimbra 0-day vulnerability to hack European media and authorities.

So, SEKOIA researchers write that MiMi for macOS version 2.3.0 was hacked almost four months ago, on May 26, 2022. The compromise was discovered during the analysis of the infrastructure of the HyperBro remote access trojan associated with APT27: the malware contacted the application, which seemed suspicious to the experts.

Trend Micro analysts have also noticed this campaign (independently of their colleagues) and now report that they have identified old trojanized versions of MiMi targeting Linux (rshell backdoor) and Windows (RAT HyperBro).

At the same time, the oldest sample of rshell for Linux is dated June 2021, and the first victim of this campaign became known back in mid-July 2021. In total, at least 13 different organizations in Taiwan and the Philippines were attacked, of which eight were affected by shell.

Experts say that in the case of macOS, the malicious JavaScript code injected into MiMi checks if the app is running on the Mac and then downloads and runs the rshell backdoor. After launch, the malware collects and sends system information to its operators and waits for further commands.

Hackers can use the malware to list files and folders and read, write, and download files on compromised systems. In addition, the backdoor can steal data and send specific files to its control server.

According to experts, the connection of this campaign with APT27 is obvious. Thus, the cybercriminals’ infrastructure uses a range of IP addresses already known to information security specialists. In addition, similar campaigns have already been observed before. For example, a backdoor was introduced into the Able Desktop messenger (Operation StealthyTrident), and malicious code was packaged using the already known tool associated with APT27.

It is worth emphasizing that it is impossible to say that we are discussing an attack on the supply chain. The fact is that according to Trend Micro, hackers control the servers hosting the MiMi installers, and experts suggest that they are dealing with a compromise of a legitimate and not too popular messenger targeted at the Chinese audience.

In turn, SEKOIA analysts say that MiMi looks very suspicious: the site associated with the messenger (www.mmimchat[.]com) does not contain a detailed description of the application, terms of use and links to social networks. Check of the legitimacy of the developer company Xiamen Baiquan Information Technology Co. Ltd. also failed. As a result, SEKOIA experts write that hackers could have developed the messenger, which is initially a malicious tool for tracking specific targets.”

The post Chinese Hackers Injected a Backdoor into the MiMi Messenger appeared first on Gridinsoft Blog.