Overview
Recently, we noticed an emerging DDoS botnet. This family transplanted part of the Mirai code, but modified the online method and payload structure, and added the OpenNIC domain name as C2. We call this family C at DDoS based on the initial version of C 2 string characteristics.
CatDDoS is in the "early stage of entrepreneurship" and its activity is not stable. Its daily instructions range from hundreds to thousands. However, since the latest " 2.0.4 " version was released in September , using multiple N-Day The vulnerability launched a new round of propagation, and the number of attack instructions also increased sharply, with the number of instructions in a single day exceeding 6,000 :
According to statistics from our threat monitoring system, the recent spread trends of CatDDoS are as follows:
The following will provide an in-depth analysis of the key details of the samples, propagation methods and version evolution of the CatDDoS botnet.
Online Request
The CatDDoS online phase is divided into two parts: plaintext and ciphertext. The plaintext part first sends the byte stream "\x00\x00\x00\x04" . This online header comes from the Mirai family, and the fourth byte was originally used to identify B ot version, but CatDDoS customized the version part and sent it together with the Bot architecture. This is the end of the plain text part.
The ciphertext part consists of three parts: the number of CPUs, memory size, and online parameters. The encryption algorithm is the same as the encryption method of this static string, using the chacha 20 algorithm with the same Key and nonce .
Attack Command Structure
In terms of the attack command structure, the positions of the attack vector and attack duration fields are exchanged based on Mirai 's payload structure, and the length of the attack duration field is shortened to 2 bytes. The following are the real attack instructions we captured:
The attack command in the picture above indicates launching a "flood_tcp_bypass" type DDoS attack on the target IP (2 03.107.xx.140/32). The duration of a single attack is 30 seconds. Among the optional fields, optional field No. 7 is more critical, which corresponds to the attack target port number. Field No. 7 here is "\ x38\x30", which is the string "8 0 ".
On September 6, we captured CatDDos launching multiple " flood_tcp_ack " type attacks on Twitter's website:
String Decryption
CatDDoS strings are encrypted using the chacha 20 algorithm (a stream encryption algorithm). During the initialization phase of the sample, the following structure is used for decrypted storage:
When using, you only need to provide the index number to find the corresponding string. The following is when selecting the C2 domain name, using strings No. 3 and No. 4, and the corresponding plain text is as follows:
In order to facilitate analysis, we used IDA - Python to implement the corresponding decryption code. The decryption effect is:
code show as below :
import idc
import idaapi
import ida_hexrays
from Crypto.Cipher import ChaCha20
def get_all_cfunc(eas):
ref = {}
for ea in eas:
cfunc = idaapi.decompile(ea)
if cfunc and hex(cfunc.entry_ea) not in ref:
ref[hex(cfunc.entry_ea)] = cfunc.body.cblock
return ref.keys(), ref.values()
def find_obj_ea(arg):
arg = arg.x
tp = arg.op_to_typename[arg.op]
if tp == "obj":
return arg.obj_ea
elif tp == "cast" or tp == "ref":
return find_obj_ea(arg)
def parse_arg(block):
if hasattr(block, "operands"):
if "a" in block.operands:
for arg in block.operands["a"]:
tp = arg.op_to_typename[arg.op]
if tp == "num":
yield {"type": tp, "value": arg.numval()}
elif tp == "cast" or tp == "ref":
yield {"type": tp, "value": find_obj_ea(arg)}
else:
yield {"type": tp, "value": arg.operands}
def parse_expr(expr):
if expr.op_to_typename[expr.op] == "call":
if expr.ea in eas:
call_info[hex(expr.ea)] = []
for arg in parse_arg(expr):
call_info[hex(expr.ea)].append(arg)
else:
for operands in expr.operands.values():
if type(operands) is ida_hexrays.cexpr_t:
parse_expr(operands)
xor_add_func = 0x000000000403020
key = 0x000000000051C0A0
nonce = 0x000000000051C0C0
call_info = {}
key = idc.GetManyBytes(key, 32)
nonce = idc.GetManyBytes(nonce, 12)
eas = list(CodeRefsTo(xor_add_func, False))
xrefs, cfunc = get_all_cfunc(eas)
print("found %s xrefs: %s" % (len(xrefs), list(xrefs)))
for cblock in cfunc:
for cinsn in cblock:
op = cinsn.details
if issubclass(type(op), ida_hexrays.ceinsn_t) and type(op.expr) is ida_hexrays.cexpr_t:
parse_expr(op.expr)
elif type(op) is ida_hexrays.cexpr_t:
parse_expr(op)
for k in call_info.keys():
if call_info[k][0]["type"] == "num" and call_info[k][1]["type"] in ["cast", "ref"] and call_info[k][2]["type"] == "num":
ciphertext = idc.GetManyBytes(call_info[k][1]["value"], call_info[k][2]["value"])
cipher = ChaCha20.new(key=key, nonce=nonce)
cipher.seek(64)
text = cipher.decrypt(ciphertext)
print("[%s]: %s" % (call_info[k][0]["value"], text))
else:
print("%s未知参数,解析失败:%s" % (k, call_info[k]))
Other
The CatDDoS team seems to have a soft spot for cats. Not only is the C2 domain name named after CatDDoS, but the word "meow" is also left in the encrypted string of the sample.
Given the characteristics of these CatDDoS botnets, we believe that it has some similarities with the Fodcha family.
Of course, the above picture is just a joke given the similar characteristics of the two families. There is currently no evidence that CatDDoS and fodcha are the same gang.
Means of Communication
The propagation module of CatDDoS is not integrated in the Bot sample. The scanner used has user_agent of "python-requests" and " ython- aiohttp". We speculate that it is written based on Python language. Mainly spread through N-Day vulnerability, the vulnerabilities used are the following:
ExifTool arbitrary code execution vulnerability ( CVE-2021-22205 )
Linksys Router Remote Command Execution Vulnerability
Hadoop Unauthorized Command Execution Vulnerability
CatDDoS released the "2.0.4" version in September , using these vulnerabilities to spread widely. Judging from the propagation trend and the number of attack instructions, CatDDoS may have entered a new and relatively mature stage.
Version Evolution
The version number of CatDDoS we traced back to the early days started from "2.0.0" , and the latest version is "2.0.4" . Compared with the initial version, the main changes have been made in the selection of C2 and attack vector .
In the earlier version "2.0.0" , the sample's choice of C2 was divided into two modes, including hard-coded IP address and OpenNIC domain name.
"2.0.4" version only reserves an OpenNIC domain name as C2
In the "2.0.4" version, the version number is followed by the "socks 5" string, which actually means that DDoS for the socks 5 service has been added in this version. Attack mode. Compared with the initial version, this version adds two new attack modes, and the number of attack vectors has been increased from 14 to 16.
Summarize
Although CatDDoS is currently in its early stages, judging from the number of attack commands, it does not look like a beginner who has just entered the industry. The encryption methods of the samples and the settings of the C2 server are relatively sophisticated. The team may have had a relatively stable DDoS before. Business, the family is currently continuing to upgrade and expand, and we will continue to monitor it in the future.
IOC
Scan source ( Loader)
45.89.127.173
193.34.212.110
194.180.48.50
Download Server
194.153.216.164:80
62.113.113.168:80
C2
catddos.pirate
i-like-dicks.pirate
chinks-eat-dogs.africa
139.177.196.154:35342
212.118.43.167:35342
77.105.138.202:35342
84.54.47.93:35342
88.218.62.22:353421
Md5
v2.0.0
78f016db54e1ab7ea9111a413e3b8eed
V2.0.4
2ab78374d7ab2fb3c5dddcbe6d714856
0f434c3b72e275d05ab302c40469e018