DDoSia evolves: new version threatens global cybersecurity

The threat actors behind the DDoSia attack tool have developed a new version that includes a unique feature. This feature allows the tool to fetch the list of target websites that are then overwhelmed with a flood of unwanted HTTP requests in a bid to incapacitate them. This updated variant, coded in Golang, has been devised with an extra layer of security to conceal its list of targets. The list is securely transmitted from the command-and-control servers to the users, says Sekoia, a cybersecurity firm.

The origin and targets of DDoSia

The DDoSia tool is associated with NoName(057)16, a pro-Russian hacker group, and is a successor of the infamous Bobik botnet. Its launch was in 2022, and it was designed to perform distributed denial-of-service (DDoS) attacks. Its main targets have been countries in Europe, as well as Australia, Canada, and Japan. From May 8 to June 26, 2023, the most frequently targeted countries were Lithuania, Ukraine, Poland, Italy, Czechia, Denmark, Latvia, France, the U.K., and Switzerland. Overall, a total of 486 different websites were affected.

The evolution and distribution of DDoSia

Python and Go-based versions of DDoSia have been discovered so far. This cross-platform functionality allows it to operate on Windows, Linux, and macOS systems. As SentinelOne explains, DDoSia is a multi-threaded application that launches denial-of-service attacks on target websites by continuously sending network requests, as dictated by a configuration file that the malware receives from a C2 server upon activation. DDoSia's distribution happens via an entirely automated process on Telegram. It offers people the opportunity to participate in a crowdsourced initiative by paying a cryptocurrency fee and receiving a ZIP archive with the attack toolkit.

Implications and reactions to the new DDoSia version

The latest version of DDoSia is notable for using encryption to hide the list of targets, indicating that its operators actively maintain the tool. NoName057(16) is striving to make their malware cross-platform, reflecting their ambition to widen their user base and target a more diverse victim pool, observes Sekoia. This development coincides with a warning from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) about targeted DoS and DDoS attacks on organizations across various sectors. The threat is serious, causing substantial time, money, and reputational losses while services and resources are unreachable. Additionally, a group named Anonymous Sudan has claimed responsibility for recent cyberattacks, although cybersecurity experts believe it's a front for pro-Kremlin activities. This group has vehemently denied links with Russia but admitted their interests align. They also stated they target "everything that is hostile to Islam." Despite the uncertainty around their origin, the activities of this group and the evolution of tools like DDoSia pose a significant threat to global cybersecurity.