Researchers at XLab recently discovered that CatDDoS has been actively exploiting over 80 vulnerabilities and attacking more than 300 targets in last 3 months timeline.
The use of Cacti-n0day and skylab0day as parameter names indicates they may use 0-day exploits and targeting victims globally, mostly in the US, France, Germany, Brazil, and China, in the cloud services, education, research, telecommunications, public administration, and construction sectors.
The CatDDoS botnet, a Mirai variant known by its cat-related nickname, launched multiple 60-second DDoS attacks on Shanghai Network Technology Co., LTD. tagged as “atk_0” after 9 PM of April 7th, 2024. Important thing to note is that during December 2023, this variant was shutter closed after a source code leak, but other versions, such as RebirthLTD and Komaru, appeared immediately that exploited the compromised codebase.
There are many similarities between the variants in code, communication design, and decryption methods, even though they were operated by different groups, collectively called CatDDoS-related gangs.
OpenNIC domains were used by active variants “v-2.0.4” and “v-Rebirth,” which utilized chacha20 encryption, respectively.
The v-snow_slide variant, believed to have been created by the defunct Aterna group, retained some Fodcha code commonalities specifically in its output “snow slide,” tea encryption, OpenNIC C2 domains, and shared communication protocols.
Researchers also found instances of “template sharing” across groups involving reusing similar malware source code with slight modifications, an everyday IoT botnet activity that resulted in code homology.
Even other variants’ C2 infrastructure was used as DDoS targets, pointing to deadly conflicts among operators competing for resources, which are consistent features of the IoT botnet landscape.
Indicators of Compromise
- 5a1124cee1a26f84aa151a68e1dbdebd6fe7a247
- f34e17c84d66117156826997aec6136e10d7cb9e
- c8fdd11675b5e2df18815eb098d2568f5cf9a232
- b6f06dea3dc7597067958cfcdc81f00dfd868a32
- 5538eb7e09395f5bfefae1af26b4c17cb5631da0
- 7f55aab44fd9939c7a0c81d78838d81991209ec4
- b9f7237d0058c069d500891811356d9f2c6f0692
- d9d569b0567dd406bf09c33e4ac71966138fbbd2
- 4681e012013921c539d155861338adc4630d8f38
- e81dc79de33af42ee6e9e489ae1305165649ef28
- 4e7c2c86b37d7f44ef2f80974cc60c068e205526
- 3665a8652b068332615ddd1d2e9a19b63f0d2475
- 212.70.149.10 Bulgaria|None|None AS204428|SS-Net
- 212.70.149.14 Bulgaria|None|None AS204428|SS-Net
- 87.246.7.194 Bulgaria|Sofia|Sofia AS204428|SS-Net
- 87.246.7.198 Bulgaria|Sofia|Sofia AS204428|SS-Net
- 87.246.7.66 Bulgaria|Sofia|Sofia AS204428|SS-Net
- 89.32.41.31 Romania|Timis|Timisoara AS48874|HOSTMAZE INC SRL-D
- 103.161.35.44 The Netherlands|Noord-Holland|Amsterdam AS0|
- 31.220.1.44 The Netherlands|Noord-Holland|Amsterdam AS206264|Amarutu Technology Ltd
- 194.169.175.20 The Netherlands|Noord-Holland|Amsterdam AS211760|Suisse Limited
- 194.169.175.31 The Netherlands|Noord-Holland|Amsterdam AS211760|Suisse Limited
- 194.169.175.39 The Netherlands|Noord-Holland|Amsterdam AS211760|Suisse Limited
- 194.169.175.40 The Netherlands|Noord-Holland|Amsterdam AS211760|Suisse Limited
- 194.169.175.43 The Netherlands|Noord-Holland|Amsterdam AS211760|Suisse Limited
