Report on DDoSia Malware Launching DDoS Attacks Against Korean Institutions
The Russian hacktivist group NoName057 (16) has been active since March 2022, and their goal is to launch DDoS attacks against targets with anti-Russian views. In November 2024, NoName05, along with the pro-Russian hacktivist groups Cyber Army of Russia Reborn and Alixsec, launched DDoS attacks against the websites of major South Korean government agencies. The attacks were believed to have been triggered by the remarks made by Minister of Foreign Affairs Cho Tae-yul and President Yoon Suk-yeol regarding the supply of weapons to Ukraine. As a result of these attacks, various South Korean organizations suffered damages.
One of the characteristics of NoName057 is that it uses automated DDoS bots like DDoSia, which encourages individual users to participate in attacks. The threat actors’ Telegram channel has tens of thousands of subscribers, and they actively promote their activities and share their attack targets and progress in real time through social media. In addition, participants are rewarded with cryptocurrency for successful attacks, which encourages more people to join.
This kind of DDoS attacks with clear political messages aim to disrupt services and cause social chaos, applying psychological pressure through cyberspace in military conflict situations.
Figure 1. Flow of DDoSia attack
DDoSia operates by downloading “client_id.txt” from a Telegram channel and placing it in the same path before executing. By default, the C&C server address included in the binary is used, but since the C&C server address is constantly changing, threat actors need to receive a new IP address from Telegram if the connection cannot be established.
When DDoSia is executed, it first goes through the authentication step. Based on the ID file, client_id.txt, the system collects and sends the basic information of the system. The URL used is “/client/login”, and the system information is encrypted. Afterward, the system receives the timestamp from the C&C server, then the system connects back to the C&C server to receive the list of attack targets. The URL used for this is “/client/get_targets”. Finally, the system periodically sends the results of the attack status to the C&C server through the URL “/set_attack_count”.
Figure 2. Packet of the authentication process
Some of the commands received from the C&C server are http, http2, tcp, and nginx_loris. DDoSia, developed in Go language, supports http and http2 commands, but does not support tcp and nginx_loris commands. It is worth noting that the previous version of DDoSia, developed in Python, supported the TCP SYN Flood technique, so there is a possibility that this will be supported in another version. In addition, to bypass the detection of security products during a DDoS attack, the C&C server randomly selects a User-Agent and sends an HTTP request to the C&C server or DDoS attack target.
Figure 3. Decrypted list of attack targets
