Dark Frost Botnet: the silent threat behind gaming industry disruptions

Unusual activity from a specific application piqued the interest of the Akamai company, prompting them to investigate. Noticing a series of unusual HTTP requests and binaries labeled "roof", Akamai began technical analysis. While initial scans using various third-party tools failed to reveal any nefarious characteristics, their internal automation identified similarities to known malware, Gafgyt. Further investigation unearthed other binaries with the same name and author, all dating back to October 2022. By pivoting to the IP address linked to these binaries, the company uncovered evidence of repeated attempts to deliver malicious payloads. The Dark Frost botnet has been identified and the orchestrator behind the malware has been discovered through thorough analysis of the strings within the files. Through various social media posts, this actor has even been cheeky enough to take credit for their creation.

Impact and goals of the Dark Frost botnet

Dark Frost has been particularly damaging to the gaming industry, targeting businesses, game hosting platforms, online streamers, and even individual gamers. Sometimes the attacks were for notoriety, other times to settle personal disputes. In a bold display of audacity, the threat actor has often publicly shared the success of their attacks on social media platforms, even going so far as to upload videos of the exploits in action. A prime example was an attack on Plutonium servers, a well-known game hosting platform. Akamai has been tracking the actor's activity since May 2022, with clear signs of their intent to ramp up their operations and establish an attack group, evidenced by a newly created website and Discord channel to facilitate bounty attacks in cash.

Uncover the technicalities of the Dark Frost botnet

A February 2023 screenshot revealed the size of the Dark Frost botnet: 414 devices, predominantly featuring the older ARMv4 architecture. The focus of the technicians then shifted to understanding how the botnet works. Extraction of the payload from the honeypot logs, and subsequent dissection of the binary file, revealed a stripped down x86-64 version of the malware. This was a hurdle for reverse engineering, but a series of error messages and usage indicators helped decipher its structure. The malware could launch eight different types of attacks, including UDP and TCP floods. The botnet appears to originate in the Linux-based Qbot malware, a descendant of BASHLITE, which shares traits with malware strains such as Gafgyt, Lizkebab, PinkSlip, Torlus, and LizardStresser.

Implications and consequences for the cybercriminal

Akamai's final process involved understanding the potential damage the botnet could cause. Through a series of tests, the company determined that the botnet could produce a data stream of 1.52 Gbps from a single node. When multiplied by the 414 nodes in the botnet, the result was a staggering potential output of 629.28 Gbps. This case serves as a reminder that even seemingly insignificant cybercriminals can cause significant disruption, especially as the legal penalties for such activities are becoming increasingly severe. Examples like Operation PowerOFF highlight growing global efforts to crack down on cybercrime. Organizations must be aware that regardless of the legality of these actions, they must have adequate defensive measures in place. While the Dark Frost botnet is not the most advanced cyberthreat, it has still managed to cause significant disruptions and highlights the potential for significant damage that can be done by cybercriminals operating behind the veil of the Internet.