OverviewRecently, CNCERT and 360netlab worked together and discovered a rapidly spreading DDoS botnet on the Internet. The global infection looks fairly big as just in China there are more than 10,000 daily active bots (IPs) and alsomore than 100 DDoS victims beingtargeted on a daily basis. We named the botnet Fodcha because of its initial use of the C2 domain name folded.in and its use of the chacha algorithm to encrypt network traffic.Botnet sizeFrom March 29 to April 10, 2022, the total number of unique Fodcha bots(IPs) has exceeded 62,000, and daily numbers fluctuate around 10,000. A daily breakdown is shown below.Netlab note:Based on direct data from the security community that we worked with, the number of daily live bots are more than 56000.When we look at the domestic data, the top provinces that the bots are coming from are the Shandong Province (12.9%), the Liaoning Province (11.8%) and the Zhejiang Province (9.9%).The service providers that these bots originate from are China Unicom(59.9%), China Telecom(39.4%), and China Mobile(0.5%).Spread methodFodcha is mainly spreading through the following NDay vulnerabilities and Telnet/SSH weak passwords.Netlab note:We observed that a brute-force cracking tool we named Crazyfia appears on the same downloader server of FodchaThe scan results of this tool will be used by the Fodcha author to install Fodcha samples on the vulnerable devices.List of main vulnerabilities:Sample AnalysisThe Fodcha botnet includes samples targeting mips, mpsl, arm, x86, and other CPU architectures. In the past 3 months, the Fodcha samples we captured can be divided into two versions, v1 and v2. Their main functions are almost the same. By cross-referencing the different versions, we can tell that the Fodcha operators are really trying to hide their C2s and load-balance among the C2s.VersionChacha20C2 FormatC2MAPPING(Domain<-->IP)MAPPING(IP<-->PORT )v1yesplaintextfolded.in1:NN:1v2yesciphertextfridgexperts.cc1:NN:10The latest sample of V2 X86 CPU architecture is selected as the main object of analysis in this paper, and its basic information is as follows.8ea56a9fa9b11b15443b369f49fa9719ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, strippedPacker:NoneFodcha's function is simple. When it executes on the compromised device, it first checks the runtime parameters. When there are no parameters, it exits out. Fodcha does this as a simple countermeasure to deter sandbox. When parameters are present, it first decrypts the key configurations data, the data include some sensitive information such as C2s will It then prints “here we are” on the Console, and uses a random string to disguise the process name. Finally communication with the C2 will be established. The following section will focus on Fodcha's decryption method and network communication.Decrypting key configurationsFodcha uses a multiple-Xor encryption method to protect its key configurations such as C2 data.The corresponding python implementation is shown below, taking the ciphertext EB D3 EB C9 C2 EF F6 FD FD FC FB F1 A3 FB E9 in the sample as an example. After decryption, we will get the Fodcha's C2: fridgexperts.cc.cipher=[ 0xEB, 0xD3, 0xEB, 0xC9, 0xC2, 0xEF, 0xF6, 0xFD, 0xFD, 0xFC, 0xFB, 0xF1, 0xA3, 0xFB, 0xE9] key=[0x66, 0x4A, 0x69, 0x46, 0x4E, 0x61, 0x65, 0x66, 0x73, 0x65, 0x64, 0x69, 0x66, 0x73, 0x61, 0x69, 0x66, 0x73, 0x69,00]tmp=[]for i in range(len(cipher)): tmp.append((cipher[i] ^ key[i])%0xff^0xbe)for i in range(len(tmp)): for j in key: tmp[i]^=jout=''.join([chr(i) for i in tmp])print outNetwork communicationFodcha establishes a connection with C2 through the following code fragment where the DNS A record IP of the C2 domain corresponds to the PORT of N:10. Once the connection is successfully established with C2, the Bot must go through 5 rounds of interaction with C2 before it can actually communicate with C2. We use arm as the packet string, which generates the network traffic shown in the following figure. Let us elaborate on how this traffic is generated:Step 1: Bot-->C2 (fixed length 5 bytes)The hard-coded ee 00 00 is calculated by the tcp/ip checksum method to get the 2-byte checksum value 0xff11, which is filled to the last 2 bytes.def checksum(data): s = 0 n = len(data) % 2 for i in range(0, len(data)-n, 2): s+= ord(data[i]) + (ord(data[i+1]) << 8) if n: s+= ord(data[i+1]) while (s >> 16): s = (s & 0xFFFF) + (s >> 16) s = ~s & 0xffff return sStep 2: C2-->BOT (2 times, the first 32 bytes; the second 12 bytes)Note that the key and nonce are generated by the C2 side, not fixed.32 bytes at the beginning is chacha20 key:26 14 2d 4d 58 d2 9e 26 67 98 bc e4 ef 69 b9 04e6 d0 73 17 5c 4f 71 33 9f 97 18 f7 31 8d d4 d612 bytes at the last is chacha20 nonce:2f 8a 5c da 57 50 a6 64 d7 98 f5 5dStep 3: BOT-->C2 (fixed length 5 bytes)Hard-coded 55 00 00 by checksum, calculate the checksum value 0xffaa, fill in the last 2 bytes, become 55 00 00 aa ff, then use chacha20 algorithm to encrypt, the number of rounds is 1, get 99 9e 95 f6 32.Step 4: C2-->BOT(fixed length 5 bytes)At this point, if the format of the 5 bytes received is 0x55 at the beginning and the last 2 bytes are the checksum value, it means the previous interaction is right, enter Step 5 and ask BOT to start sending packet information.Step 5: Bot--->C2 (2 times, the first 5 bytes, the second grouping)First timeHard-coded fe 00 00, the third byte is really the grouping length, becomes fe 00 03, calculate the checksum value 0xfefe, fill in the tail to get fe 00 03 fe feSecond timegrouping string arm, use chacha20 encryption, round number 1, get ad ec f8At this point the BOT is successfully registered and waits to execute the instruction issued by C2. The instruction code and its meaning are shown below:- 0x69, Heartbeat- 0xEB, DDoS Attack- 0xFB, ExitC2 TrackingOur botnet tracking system data shows that Fodcha has been launching DDoS attacks non stop since it came online, with the following trends in attack targets.As you can see, the DDoS behavior of this family is very active:The most active attack time was on 2022-03-01, with over 130k attacking commands being recorded.In the recent week, the average daily attack command has exceeded 7k, targeting 100+ DDoS victims.At the same time, we can also clearly see from the DNS perspective that the C2 domain of this family made a turnover around 2022-03-19, corresponding to the shift from v1 to v2 in the aforementioned sample analysis section.Netlab note:The shift from v1 to v2 is due to the fact that the C2 servers corresponding to the v1 version were shutdown by a their cloud vendor, so Fodcha's operators had no choice but to re-launch v2 and update C2. The new C2 is mapped to more than a dozen IPs and is distributed across multiple countries including the US, Korea, Japan, and India, it involves more cloud providers such as Amazon, DediPath, DigitalOcean, Linode, and many others.IoCSample Hash(md5)0e3ff1a19fcd087138ec85d5dba597151b637faa5e424966393928cd6df31849208e72261e10672caa60070c770644ba2251cf2ed00229c8804fc91868b3c1cb2a02e6502db381fa4d4aeb356633af732ed0c36ebbeddb65015d01e6244a28462fe2deeb66e1a08ea18dab520988d9e437adb95cbe4875a9f072ff7f2ee4d4ae3fc8ae41752c7715f7550dabda0eb3ba40f53c47d360c1c773338ef5c42332f84635112e2dfe5068a4fe1ebb1c5c8771525670acfd097fa0762262d9298c3b3b54e4334baa01289fa4ee966a806ef7f15567bebd550f26f0a6df17b95507ca6d5bdb128072c02f52153eaeea6899a5b16244e9da30a69997cf2e61d8391976d965dd4b23518cba77caab3e8170af80016788598e9c37d79fd02b7c570141ddcf760b2c21c40e33599b0a10cf0958cfd4792fdd3b9f0360b2bbee5864845c324c7a6ebf1567de7e432f09f53ad14d7bc59413d6d7b875f071314e8acae2f7e390954879959743a7c63784d1204efc7ed3977b4f1a153e7943c4db6e5a3bf403459defda7768d2d806b06775c5768428c49dfa80650f974dffe2bda3ff8495b394a996e86b511037713a1be09ee7af7490b11d8e45f7888ce85a67f98ed7f2cd89b1776a09d5490702c12d85ab6c6186cdb774ad07f0384c61f96a7897e87f96c0c99db0e8c3ecab4dd7f13f3946374720c9cbf28561272c705c5a6b44897757cacbdb65e4765fbd7bcae93b393698724cd9c240dbed6dfc584a20246e8a79bdaee372e5ca89dbb7b5c1f9f58fe68a8fc7ebf81131188e3454fe066380fa469d22fe58b08ea78f3e6b1f59e5fe40447b11Download Linkshttp://139.177.195.192/bins/armhttp://139.177.195.192/bins/arm5http://139.177.195.192/bins/arm7http://139.177.195.192/bins/mipshttp://139.177.195.192/bins/realtek.mipshttp://139.177.195.192/blahhttp://139.177.195.192/linnnhttp://139.177.195.192/skidrthttp://139.177.195.192/z.shhttp://162.33.179.171/bins/armhttp://162.33.179.171/bins/arm7http://162.33.179.171/bins/mpslhttp://162.33.179.171/bins/realtek.mipshttp://162.33.179.171/bins/realtek.mpslhttp://162.33.179.171/blahhttp://162.33.179.171/k.shhttp://162.33.179.171/linnnhttp://162.33.179.171/z.shhttp://206.188.197.104/bins/arm7http://206.188.197.104/bins/realtek.mipshttp://206.188.197.104/skidrthttp://31.214.245.253/bins/armhttp://31.214.245.253/bins/arm7http://31.214.245.253/bins/mipshttp://31.214.245.253/bins/mpslhttp://31.214.245.253/bins/x86http://31.214.245.253/k.shhttp://31.214.245.253/kk.shC2 domainfolded.infridgexperts.ccReaders are always welcomed to reach us on Twitter or email us to netlab at 360 dot cn.
