blog.sekoia.io
Open in
urlscan Pro
35.214.255.233
Public Scan
URL:
https://blog.sekoia.io/following-noname05716-ddosia-projects-targets/
Submission: On September 20 via manual from CA — Scanned from US
Submission: On September 20 via manual from CA — Scanned from US
Form analysis 2 forms found in the DOM
Name: loginform — POST https://blog.sekoia.io/wp-login.php
<form name="loginform" id="loginform" action="https://blog.sekoia.io/wp-login.php" method="post" data-hs-cf-bound="true">
<p class="login-username">
<label for="user_login">Username or Email Address</label>
<input type="text" name="log" id="user_login" autocomplete="username" class="input" value="" size="20" placeholder="Your email or username...">
</p>
<p class="login-password">
<label for="user_pass">Password</label>
<input type="password" name="pwd" id="user_pass" autocomplete="current-password" spellcheck="false" class="input" value="" size="20" placeholder="Your password...">
</p>
<p class="login-remember"><label><input name="rememberme" type="checkbox" id="rememberme" value="forever"><span class="notizia-checkbox-control"></span> Remember Me</label></p>
<p class="login-submit">
<input type="submit" name="wp-submit" id="wp-submit" class="button button-primary notizia-button" value="Log In">
</p>
<div class="notizia-loader"></div>
<input type="hidden" name="redirect_to" value="https://blog.sekoia.io/following-noname05716-ddosia-projects-targets/">
<p></p>
</form>GET https://blog.sekoia.io/
<form role="search" method="get" class="search-form" action="https://blog.sekoia.io/" data-hs-cf-bound="true">
<label>
<span class="screen-reader-text">Search for</span>
<input type="search" class="search-field" placeholder="Search..." value="" name="s"><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round"
stroke-linejoin="round" class="feather feather-search notizia-custom-search">
<circle cx="11" cy="11" r="8"></circle>
<line x1="21" y1="21" x2="16.65" y2="16.65"></line>
</svg>
</label>
</form>Text Content
This website stores cookies on your computer. These cookies are used to collect
information about how you interact with our website and allow us to remember
you. We use this information in order to improve and customize your browsing
experience and for analytics and metrics about our visitors both on this website
and other media. To find out more about the cookies we use, see our Privacy
Policy
If you decline, your information won’t be tracked when you visit this website. A
single cookie will be used in your browser to remember your preference not to be
tracked.
Cookies settingsAcceptDecline
LOG IN
Whoops! You have to login to access the Reading Center functionalities!
Username or Email Address
Password
Remember Me
Forgot password?
SEARCH THE SITE...
Search for
* All categories
* Research & Threat Intelligence
* Product News & Tutorials
* Blogpost
Reset
* Categories
* Research & Threat Intelligence
* Product News & Tutorials
* Discover Sekoia.io SOC platform
* Stay tuned
* English
* English
* Français
* CategoriesToggle menu
* Research & Threat Intelligence
* Product News & Tutorials
* Discover Sekoia.io SOC platform
* Stay tuned
* EnglishToggle menu
* English
* Français
* UserToggle menu
* Log in
Log in
Research & Threat Intelligence
FOLLOWING NONAME057(16) DDOSIA PROJECT’S TARGETS
DDoSia is a Distributed Denial of Service (DDoS) attack toolkit, developed and
used by the pro Russia hacktivist nationalist group NoName057(16) against
countries critical of the Russian invasion of Ukraine.
CTI
DDoS
Europe
Hacktivism
Amaury G., Charles M. and Threat & Detection Research Team - TDR June 29 2023
1112 0
Read it later Remove
14 minutes reading
TABLE OF CONTENTS
* Context
* How DDoSia Project work
* Overview of channels used
* Register and download sample
* Execute the sample
* DDoSia Project’s analysis: how to track targets list
* Network interactions
* Reverse engineering on the sample
* Analysis of the decrypted content
* Analysis of targeted websites and countries
* Conclusion
* Indicators Of Compromise (IoCs)
CONTEXT
DDoSia is a Distributed Denial of Service (DDoS) attack toolkit, developed and
used by the pro Russia hacktivist nationalist group NoName057(16) against
countries critical of the Russian invasion of Ukraine.
The DDoSia project was launched on Telegram in early 2022. The NoName057(16)
main group main Telegram channel reached more than 45,000 subscribers as of June
2023, while the DDoSia project channels reached over 10,000 users.
Administrators posted instructions for potential volunteers who want to
participate in projects, and they added the possibility to pay in cryptocurrency
for users who declare a valid TON wallet based on their contribution to the DDoS
attacks.
Figure 1. Development timeline of NoName057(16) and DDoSia Project (click to
enlarge)
The administrators of the group as well as the community are very active. They
were notably observed conducting DDoS attacks against European, Ukrainian, and
U.S. websites of government agencies, media, and private companies. Regularly,
the group posts messages claiming successful attacks.
Figure 2. Message published on the NoName057(16) Telegram group, claiming a
successful attack against the the French National Assembly and the Ukrainian
Cabinet of Ministers websites
DDoSia was initially written in Python using CPU threads as a way to launch
several network requests at the same time. Since the first version, DDoSia
relied on HTTP protocol for Command & Control (C2) communication, with JSON
configurations distributed by the C2 server, and is available for several
operating systems. On 18 April 2023, Avast published an article analyzing
network flow between DDoSia users and the C2. On 19 April 2023, DDoSia
administrators released a new version of their sample that implements an
additional security mechanism to conceal the list of targets, which is
transmitted from the C2 to the users. Said mechanism is described in the next
section.
HOW DDOSIA PROJECT WORK
OVERVIEW OF CHANNELS USED
DDoSia’s main communication occurs via the NoName057(16)’s Telegram channel,
with one channel in Russian, counting more than 45,000 subscribers, and a second
in English. Users can join the DDoSia Project group with the link
hxxps://t[.]me/+fiTz615tQ6BhZWFi, gaining access to 7 different channels.
NoName057(16) set up a separate Telegram bot from the DDoSia Projects group,
available at hxxps://t[.]me/DDosiabot, which allows interaction via predefined
commands. A summary of these channels is available in the Figure 3 below:
Figure 3. List of active channels of NoName057(16) and DDoSia Project (click to
enlarge)
This figure includes an English translation of the channels, originally in
Russian.
REGISTER AND DOWNLOAD SAMPLE
The channel DDoSia – manuals + up-to-date malware includes a manual on the
actions that need to be carried out. The first step is to register via the
Telegram bot @DDosiabot. Although dedicated channels for English support exist,
the bot is only available in Russian.
Figure 4. Screenshot of the chat with @DDosiabot
After starting the discussion with the /start command, the bot requires a TON
wallet to receive cryptocurrency. As specified in the tutorials presented by the
administrators, it is possible to create a TON wallet from a Telegram Bot named
@CyptoBot.
Of note, no wallet was provided for this investigation. The bot then transmits
two files:
* client_id.txt: a file containing information to uniquely identify a user.
This is a hash starting with $2a$16, generated by a Bcrypt password-hashing
function;
* help.txt: a file containing several indications on the steps to follow to use
the sample as well as Telegram links for installation tutorials.
In addition, one of the bot’s functionalities allows to view statistics of its
own account as well as those of all bot users combined. It is also possible to
ask to recreate the client_id.txt file.
Next step is to retrieve the sample to launch.
Figure 5. Screenshot of the sample
As shown in Figure 5, this is an archive in ZIP format, named d.zip, containing
the client sample. This investigation focuses on the archive released on 19
April 2023. The summary of its contents is available below:
FilenameFiletyped_linux_amd64ELF 64-bit LSB executable, x86-64d_linux_armELF
32-bit LSB executable, ARMd_mac_amd64Mach-O 64-bit x86_64
executabled_mac_arm64Mach-O 64-bit arm64 executabled_windows_amd64.exePE32+
executable (console) x86-64 for Microsoft Windowsd_windows_arm64.exePE32+
executable (console) Aarch64 for Microsoft Windows
Table 1. Summary of the content of the ZIP file
EXECUTE THE SAMPLE
Once the user has all the necessary files to participate in DDoS attacks, the
client_id.txt file must be placed in the same folder as the selected executable.
In this example, Sekoia.io analysts used d_windows_amd64.exe. Once the sample is
executed, it is a command line prompt, in which it is possible to see the
current number of targets, as well as a summary of the network interactions
carried out towards a target. The English translation of the command line is as
follows:
Go-Stresser версия 1.0 | PID 5420 © NoName057(16)
__________________________________________________
Authorization passed successfully
Received targets: 54
Successful responses (http code 200): 0
Total responses received: 565
Total requests sent: 1432
DDOSIA PROJECT’S ANALYSIS
After downloading the necessary files, Sekoia.io analysts set up a dedicated
infrastructure to retrieve the list of targets.
NETWORK INTERACTIONS
After setting up the infrastructure, we performed network sniffing to check what
requests were sent between the client and the C2. The summary of network flow is
available in the diagram below:
Figure 6. Summary of the network flow between DDoSia user and DDoSia C2
When the malware is launched, it makes a POST request to the URL
hxxp://[IP]/client/login to authenticate with the C2. The User-Hash field
corresponds to the content of the client_id.txt file, starting with $2a$16$;
The Client-Hash field is a value generated by the sample, which contains the
SHA256 sum of the machine’s UID, as well as the PID of the malware. This value
is located in a folder located in the same location as the executable, in a
folder named uid.
POST /client/login HTTP/1.1
Host: 94[.]140.114.239
User-Agent: Go-http-client/1.1
Content-Length: 251
Client-Hash: xxxxxxxxxxxxxxxxxxxxxxxxxxxx:xxxx
Content-Type: application/json
User-Hash: $2a$16$xxxxxxxxxxxxxxxxx
Accept-Encoding: gzip
{“location“: “UER8zRkg[…]lQ6i8s=”}
The C2 then confirms the authentication request and provides a token to the
client, as below:
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 25 Apr 2023 19:04:09 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 19
Connection: keep-alive
Vary: Origin
Access-Control-Allow-Origin:
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: Link
1682xxxxxxxxxxxxxx
Consequently, the client sends a GET request to the C2
hxxp://[IP]/client/get_targets, this time specifying the Time field, whose value
is the one previously sent by the C2, automatically modified by the client.
GET /client/get_targets HTTP/1.1
Host: 94[.]140.114.239
User-Agent: Go-http-client/1.1
Client-Hash: xxxxxxxxxxxxxxxxxxxxxxxxxxxx:xxxx
Content-Type: application/json
Time: 1682xxxxxxxxxxxxxx
User-Hash: $2a$16$xxxxxxxxxxxxxxxxx
Accept-Encoding: gzip
This time, the C2 returns a dictionary in JSON format. On one hand the previous
but modified token, and on the other hand a data field in which there is an
encrypted text. This field contains the list of targets:
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 25 Apr 2023 19:04:15 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 69595
Connection: keep-alive
Vary: Origin
Access-Control-Allow-Origin:
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: Link
{“token“: 1682xxxxxxxxxxxxxx, “data“: “Dm6CFMc9Lk4wrY2[…]XW2ZqF2CgzTboVEQ==”}
In this example, the value of the data fields is shortened, as its size is
around 70, 000 characters. The next section provides further details related to
data encryption’s mechanism.
REVERSE ENGINEERING ON THE SAMPLE
At this stage, the retrieved list of targets is encrypted. This reverse
engineering analysis focuses on the d_windows_amd64.exe executable.
This version of DDoSia was written in Go language. Contrary to usually seen Go
binaries, this new version does not provide the expected result and
decompilation errors are observed. Focusing on the functions performing the HTTP
requests and decryption process results in the following graph:
Figure 7. Graph of instructions after decompilation in IDA software
In this graph, brown parts correspond to instructions which are not considered
in a function, which means that it is not possible to interpret them. Despite
this, several functions seem relevant. The first interesting function initiates
a structure where the IPv4 address and different URLs are called:
Figure 8. Initiates a structure which contains IPs and URLs to request
The Figure 9 is an extract of the GetTargets function, where a GET request is
created and then sent. After unmarshalling the JSON, the Decrypt_AESGCM function
is called. It makes the authentication via the MakeClientLogin function, which,
if successful, retrieves the targets.
Figure 9. Initiates the GoStresser tool authentication
This Figure 10 contains two functions which were automatically renamed
crypto/AES.NewCipher and crypto/AES.newGCMWithNonceAndTagSize. Their purpose is
to initiate the AES encryption.
Figure 10. Initiate the AES encryption
This first step allowed Sekoia.io analysts to identify that data are AES-GCM
encrypted. As is, finding the generation process of the key and of the IV are
difficult to understand. To bypass this step, it was decided to use a dynamic
analysis approach of the sample.
As a reminder, the client receives a JSON with two fields: an integer, named
token and a base64 encoded field, named data. Dynamic analysis allowed for the
calculation of all necessary values to decrypt the data:
* Key calculation:
* The value of the token is divided it by 5 (whole division);
* The result is added to the User-Hash (that begins by $2a$16$);
* Take the last 32 characters of the User-Hash and convert them in a hex
string.
* IV calculation
* Take the ciphertext, decode it in base64;
* Take the 12 first characters and convert them in bytes.
* TAG calculation
* Take the ciphertext, decode it in base64;
* Take the 16 last characters convert them in bytes.
Finally, the ciphertext corresponds to the value of the data field, from which
the first 12 and last 16 chars are removed. Now it is possible to get the value
of the data field in plain text.
ANALYSIS OF THE DECRYPTED CONTENT
Once the data is decrypted, it is possible to see that it is a dictionary in
JSON format.
The dictionary is divided into two parts. The first field is called randoms, and
the second field is called targets. Targets field contains an integer array of
fields, in which several of them are specific:
TARGETS FIELD
{
“target_id“:”645026fc0c81901a3b3aa4f5”,
“request_id“:”645026fd0c81901a3b3aa4f6”,
“host“:”id[.]kyivcity.gov.ua”,
“ip“:”104[.]18.20.41”,
“type“:”http”,
“method“:”POST”,
“port“:443,
“use_ssl“:true,
“path“:”/login/email”,
“body“:{
“type“:”str”,
“value“:”login=$_1%40gmail.com\u0026password=$-1\”
},
“headers“:null
}
In addition to the IPv4 address, there are fields to target specific URLs. On
some targets, it is possible to find that beyond the metadata, content can be
added to the DDoS request thanks to the body field, as shown in the JSON data
above.
RANDOMS FIELD
This table contains a list of fields that appear to be used to generate random
strings in sent requests.
{
“name“:”Все персонажи 6-12”,
“id“:”62d8fccfb44b5774ee96ec0a”,
“digit“:true,
“upper“:true,
“lower“:true,
“min“:6,
“max“:12
}
In the target example above, in the body[“value”] field, we can find variables
such as $_1 or $-1 that appear to be replaced by these random strings. It is
highly likely that this random data generation allows to bypass the cache
mechanisms of the C2 target by making network requests different from each
other.
ANALYSIS OF TARGETED WEBSITES AND COUNTRIES
After the values sent by DDoSia C2 server were successfully decrypted, TDR
analysts developed a tool automatically gathering targeted domains, allowing a
victimology analysis. The following section analyzes the data, over a period
from 8 May to 26 June 2023.
The following graph shows the most targeted countries, based on the TLD of the
targeted urls. Commercial or domains unrelated to a country-level TLD are
excluded (.com, .info, .net, .org, .space).
Figure 11. Percentage of top-level domain by targeted countries (click to
enlarge)
Based on this graph, we clearly identify that the pro-Kremlin hacktivist group
NoName057(16), primarily focuses on Ukraine and NATO countries, including the
Eastern Flank (Lithuania, Poland, Czech Republic and Latvia). It is highly
likely that this stems from the fact that those countries are the most vocal in
public declarations against Russia and pro-Ukraine, as well as providing
military support and capabilities.
A second group, mostly Western countries, is the secondary DDoSia target,
including France, the United Kingdom, Italy, Canada and other EU countries,
almost certainly as they supported Ukraine both politically, militarily and
economically since the beginning of the conflict.
Sekoia.io in-house tool detected a total of 486 different websites impacted. The
following graph shows the top 50:
Figure 12. Top 50 targeted websites (click to enlarge)
From 8 May to 26 June 2023, few conclusions can be drawn:
* The top 2 targets are Ukrainien websites, targeted twice as often as the
others.The first victim; zno.testportal.com[.]ua is related to
testportal.gov[.]ua, a state institution (Ukrainian Center for Educational
Quality Assessment) which delivers external independent evaluation of
students.
* The second domain, e-journal.iea.gov[.]ua is a online education platform
created by the Ukrainian government to face COVID restrictions.
Based on this statistical observation, Sekoia.io analysts assess it is plausible
that NoName057(16) targeted education-related resources during the exam period
(May and June), to maximize the media coverage of their DDoS operation.
Among the other impacted domains, we identify multiple economic sectors,
including education, financial and transport sectors, as well as governmental
entities. Indeed, two of the targets within the top 10 are related to the
financial sector; the AXA bank (top 5) and the BPCE group (top 7). Public
entities such as the French Senate or the Italian government can also be found
among the most targeted websites. Similarly, few domains belonging to the French
transport group RATP were equally actively targeted.
PMC WAGNER WEBSITES TARGETED
Sekoia.io analysts observed that the only targets throughout the day of the 24
June 2023 were wagnercentr[.]ru and wagner2022[.]ru, congruent with the
attempted offensive from the Wagner group in Russia. This is the first observed
attack against one single victim, as the NoName057(16) group usually targets an
average of 15 different victims per day. Another considerable difference can be
noted, while they usually do so for other victims, the attackers did not
communicate about the attack on their Telegram channel.
As a nationalist hacktivist group, NoName057(16) is very reactive to political
communication. For example, on 21 June 2023, shortly after French president
Macron announced the incoming delivery of air defense system to Kiev, our tool
detected multiple targets related to the French transport group RATP, targeting
the following websites: www.ratp[.]fr, www.ratp-m2e[.]fr, mutuelleratp[.]fr,
www.cgt-ratp[.]fr, www.transfert-ratp[.]fr. This reaction likely reflects
NoName’ stand to quickly and systematically conduct their campaigns as
retaliation to what they perceive being a provocation or an offense to Russia.
Figure 13. Screenshot of a Telegram message from NoName057(16) channel,
published on 21 June 2023
The English translation of the body of this message is as follows:
🔻Macron smiled blissfully and announced that the SAMP/T anti-aircraft missile
system was delivered to Ukrainian neo-Nazis and is ready for use.
This weapon, which France supplies jointly with Italy (“Macron-Macaron” is
something like that😉) as a result, of course, will be either taken away or
destroyed by the Russian troops, so the French president is happy about it…😈
CONCLUSION
The NoName057(16) group continues to update the DDoSia Project. Sekoia.io
analyst’s observations concur with Avast’s analysis and provide an update on the
newly implemented encryption mechanism.
NoName057(16) is making efforts to make their malware compatible with multiple
operating systems, almost certainly reflecting their intent to make their
malware available to a large number of users, resulting in the targeting of a
broader set of victims.
Sekoia.io analysts assess that strengthening the security of their software is
part of NoName057(16)’s efforts to continuously develop their capabilities,
almost certainly driven by their active community as well as the increasing
scrutiny of their activities from the CTI community. It is highly likely we will
observe further developments in the short term.
INDICATORS OF COMPROMISE (IOCS)
IoC NameInfoSHA256 sumd_linux_amd64DDoSia
malware761075da6b30bb2bcbb5727420e86895b79f7f6f5cebdf90ec6ca85feb78e926d_linux_armDDoSia
malwarefae9b6df2987b25d52a95d3e2572ea578f3599be88920c64fd2de09d1703890ad_mac_amd64DDoSia
malware8e1769763253594e32f2ade0f1c7bd139205275054c9f5e57fefd8142c75441fd_mac_arm64DDoSia
malware9a1f1c491274cf5e1ecce2f77c1273aafc43440c9a27ec17d63fa21a89e91715d_windows_amd64.exeDDoSia
malware726c2c2b35cb1adbe59039193030f23e552a28226ecf0b175ec5eba9dbcd336ed_windows_arm64.exeDDoSia
malware7e12ec75f0f2324464d473128ae04d447d497c2da46c1ae699d8163080817d3894[.]140.114.239DDoSia
C2N/A
CHAT WITH OUR TEAM!
Would you like to know more about our solutions?
Do you want to discover our XDR and CTI products?
Do you have a cybersecurity project in your organization?
Make an appointment and meet us!
Contact us
Thank you for reading this blogpost. We welcome any reaction, feedback or
critics about this analysis. Please contact us on tdr[at]sekoia.io
Feel free to read other TDR analysis here :
* A war on multiple fronts – the turbulent cybercrime landscape
* Overview of the Russian-speaking infostealer ecosystem: the distribution
* Calisto show interests into entities involved in Ukraine war support
* CALISTO continues its credential harvesting campaign
* Unveiling of a large resilient infrastructure distributing information
stealers
* XDR detection engineering at scale: crafting detection rules for SecOps
efficiency
Share
Share this post:
WHAT'S NEXT
CUSTOMERLOADER: A NEW MALWARE DISTRIBUTING A WIDE VARIETY OF PAYLOADS
This blog post aims at presenting a technical analysis of CustomerLoader
focusing on the decryption of the next-stage payloads,...
Quentin Bourgue, Pierre Le Bourhis and Threat & Detection Research Team - TDR
ENGINEERING DETECTION AROUND MICROSOFT DEFENDER
This blogpost slightly introduces Microsoft Defender different products and the
confusion that can be made between them mainly because...
Threat & Detection Research Team - TDR
MY TEA’S NOT COLD. AN OVERVIEW OF CHINA’S CYBER THREAT
This report is an overview of recent malicious cyber activities associated to
China-nexus Intrusion Sets. It is based on...
Jamila B. and Threat & Detection Research Team - TDR
COMMENTS ARE CLOSED.
TRENDING TOPICS
STEALER
DARK WEB
INFRASTRUCTURE
* APT
* Cyber Threat Intelligence
* Cybercrime
* Detection
* Infostealer
* Malware
* Ransomware
* XDR
* Discover Sekoia.io SOC platform
* Stay tuned