Table of contents
- How DDoSia Project work
- DDoSia Project’s analysis: how to track targets list
- Analysis of targeted websites and countries
- Indicators Of Compromise (IoCs)
DDoSia is a Distributed Denial of Service (DDoS) attack toolkit, developed and used by the pro Russia hacktivist nationalist group NoName057(16) against countries critical of the Russian invasion of Ukraine.
The DDoSia project was launched on Telegram in early 2022. The NoName057(16) main group main Telegram channel reached more than 45,000 subscribers as of June 2023, while the DDoSia project channels reached over 10,000 users. Administrators posted instructions for potential volunteers who want to participate in projects, and they added the possibility to pay in cryptocurrency for users who declare a valid TON wallet based on their contribution to the DDoS attacks.
The administrators of the group as well as the community are very active. They were notably observed conducting DDoS attacks against European, Ukrainian, and U.S. websites of government agencies, media, and private companies. Regularly, the group posts messages claiming successful attacks.
DDoSia was initially written in Python using CPU threads as a way to launch several network requests at the same time. Since the first version, DDoSia relied on HTTP protocol for Command & Control (C2) communication, with JSON configurations distributed by the C2 server, and is available for several operating systems. On 18 April 2023, Avast published an article analyzing network flow between DDoSia users and the C2. On 19 April 2023, DDoSia administrators released a new version of their sample that implements an additional security mechanism to conceal the list of targets, which is transmitted from the C2 to the users. Said mechanism is described in the next section.
How DDoSia Project work
Overview of channels used
DDoSia’s main communication occurs via the NoName057(16)’s Telegram channel, with one channel in Russian, counting more than 45,000 subscribers, and a second in English. Users can join the DDoSia Project group with the link, gaining access to 7 different channels. NoName057(16) set up a separate Telegram bot from the DDoSia Projects group, available at , which allows interaction via predefined commands. A summary of these channels is available in the Figure 3 below:
This figure includes an English translation of the channels, originally in Russian.
Register and download sample
The channelincludes a manual on the actions that need to be carried out. The first step is to register via the Telegram bot . Although dedicated channels for English support exist, the bot is only available in Russian.
After starting the discussion with the
Of note, no wallet was provided for this investigation. The bot then transmits two files:
- : a file containing information to uniquely identify a user. This is a hash starting with , generated by a Bcrypt password-hashing function;
- : a file containing several indications on the steps to follow to use the sample as well as Telegram links for installation tutorials.
In addition, one of the bot’s functionalities allows to view statistics of its own account as well as those of all bot users combined. It is also possible to ask to recreate thefile.
Next step is to retrieve the sample to launch.
As shown in Figure 5, this is an archive in ZIP format, named, containing the client sample. This investigation focuses on the archive released on 19 April 2023. The summary of its contents is available below:
|d_linux_amd64||ELF 64-bit LSB executable, x86-64|
|d_linux_arm||ELF 32-bit LSB executable, ARM|
|d_mac_amd64||Mach-O 64-bit x86_64 executable|
|d_mac_arm64||Mach-O 64-bit arm64 executable|
|d_windows_amd64.exe||PE32+ executable (console) x86-64 for Microsoft Windows|
|d_windows_arm64.exe||PE32+ executable (console) Aarch64 for Microsoft Windows|
Execute the sample
Once the user has all the necessary files to participate in DDoS attacks, thefile must be placed in the same folder as the selected executable. In this example, Sekoia.io analysts used . Once the sample is executed, it is a command line prompt, in which it is possible to see the current number of targets, as well as a summary of the network interactions carried out towards a target. The English translation of the command line is as follows:
DDoSia Project’s analysis
After downloading the necessary files, Sekoia.io analysts set up a dedicated infrastructure to retrieve the list of targets.
After setting up the infrastructure, we performed network sniffing to check what requests were sent between the client and the C2. The summary of network flow is available in the diagram below:
When the malware is launched, it makes a POST request to the URLto authenticate with the C2. The field corresponds to the content of the file, starting with ;
Thefield is a value generated by the sample, which contains the SHA256 sum of the machine’s UID, as well as the PID of the malware. This value is located in a folder located in the same location as the executable, in a folder named .
The C2 then confirms the authentication request and provides a token to the client, as below:
Consequently, the client sends a GET request to the C2, this time specifying the field, whose value is the one previously sent by the C2, automatically modified by the client.
This time, the C2 returns a dictionary in JSON format. On one hand the previous but modified token, and on the other hand afield in which there is an encrypted text. This field contains the list of targets:
In this example, the value of thefields is shortened, as its size is around 70, 000 characters. The next section provides further details related to data encryption’s mechanism.
Reverse engineering on the sample
At this stage, the retrieved list of targets is encrypted. This reverse engineering analysis focuses on theexecutable.
This version of DDoSia was written in Go language. Contrary to usually seen Go binaries, this new version does not provide the expected result and decompilation errors are observed. Focusing on the functions performing the HTTP requests and decryption process results in the following graph:
In this graph, brown parts correspond to instructions which are not considered in a function, which means that it is not possible to interpret them. Despite this, several functions seem relevant. The first interesting function initiates a structure where the IPv4 address and different URLs are called:
The Figure 9 is an extract of thefunction, where a GET request is created and then sent. After unmarshalling the JSON, the function is called. It makes the authentication via the function, which, if successful, retrieves the targets.
This Figure 10 contains two functions which were automatically renamedand . Their purpose is to initiate the AES encryption.
This first step allowed Sekoia.io analysts to identify that data are AES-GCM encrypted. As is, finding the generation process of the key and of the IV are difficult to understand. To bypass this step, it was decided to use a dynamic analysis approach of the sample.
As a reminder, the client receives a JSON with two fields: an integer, namedand a base64 encoded field, named . Dynamic analysis allowed for the calculation of all necessary values to decrypt the data:
- Key calculation:
- The value of the token is divided it by 5 (whole division);
- The result is added to the (that begins by );
- Take the last 32 characters of the and convert them in a hex string.
- IV calculation
- Take the , decode it in base64;
- Take the 12 first characters and convert them in bytes.
- TAG calculation
- Take the , decode it in base64;
- Take the 16 last characters convert them in bytes.
Finally, thecorresponds to the value of the field, from which the first 12 and last 16 chars are removed. Now it is possible to get the value of the field in plain text.
Analysis of the decrypted content
Once the data is decrypted, it is possible to see that it is a dictionary in JSON format.
The dictionary is divided into two parts. The first field is called , and the second field is called . Targets field contains an integer array of fields, in which several of them are specific:
In addition to the IPv4 address, there are fields to target specific URLs. On some targets, it is possible to find that beyond the metadata, content can be added to the DDoS request thanks to thefield, as shown in the JSON data above.
This table contains a list of fields that appear to be used to generate random strings in sent requests.
In the target example above, in thefield, we can find variables such as or that appear to be replaced by these random strings. It is highly likely that this random data generation allows to bypass the cache mechanisms of the C2 target by making network requests different from each other.
Analysis of targeted websites and countries
After the values sent by DDoSia C2 server were successfully decrypted, TDR analysts developed a tool automatically gathering targeted domains, allowing a victimology analysis. The following section analyzes the data, over a period from 8 May to 26 June 2023.
The following graph shows the most targeted countries, based on the TLD of the targeted urls. Commercial or domains unrelated to a country-level TLD are excluded (, , , , ).
Based on this graph, we clearly identify that the pro-Kremlin hacktivist group NoName057(16), primarily focuses on Ukraine and NATO countries, including the Eastern Flank (Lithuania, Poland, Czech Republic and Latvia). It is highly likely that this stems from the fact that those countries are the most vocal in public declarations against Russia and pro-Ukraine, as well as providing military support and capabilities.
A second group, mostly Western countries, is the secondary DDoSia target, including France, the United Kingdom, Italy, Canada and other EU countries, almost certainly as they supported Ukraine both politically, militarily and economically since the beginning of the conflict.
Sekoia.io in-house tool detected a total of 486 different websites impacted. The following graph shows the top 50:
From 8 May to 26 June 2023, few conclusions can be drawn:
- The top 2 targets are Ukrainien websites, targeted twice as often as the others.The first victim; is related to , a state institution (Ukrainian Center for Educational Quality Assessment) which delivers external independent evaluation of students.
- The second domain, is a online education platform created by the Ukrainian government to face COVID restrictions.
Based on this statistical observation, Sekoia.io analysts assess it is plausible that NoName057(16) targeted education-related resources during the exam period (May and June), to maximize the media coverage of their DDoS operation.
Among the other impacted domains, we identify multiple economic sectors, including education, financial and transport sectors, as well as governmental entities. Indeed, two of the targets within the top 10 are related to the financial sector; the AXA bank (top 5) and the BPCE group (top 7). Public entities such as the French Senate or the Italian government can also be found among the most targeted websites. Similarly, few domains belonging to the French transport group RATP were equally actively targeted.
As a nationalist hacktivist group, NoName057(16) is very reactive to political communication. For example, on 21 June 2023, shortly after French president Macron announced the incoming delivery of air defense system to Kiev, our tool detected multiple targets related to the French transport group RATP, targeting the following websites:, , , . This reaction likely reflects NoName’ stand to quickly and systematically conduct their campaigns as retaliation to what they perceive being a provocation or an offense to Russia.
The English translation of the body of this message is as follows:
The NoName057(16) group continues to update the DDoSia Project. Sekoia.io analyst’s observations concur with Avast’s analysis and provide an update on the newly implemented encryption mechanism.
NoName057(16) is making efforts to make their malware compatible with multiple operating systems, almost certainly reflecting their intent to make their malware available to a large number of users, resulting in the targeting of a broader set of victims.
Sekoia.io analysts assess that strengthening the security of their software is part of NoName057(16)’s efforts to continuously develop their capabilities, almost certainly driven by their active community as well as the increasing scrutiny of their activities from the CTI community. It is highly likely we will observe further developments in the short term.
Indicators Of Compromise (IoCs)
|IoC Name||Info||SHA256 sum|
Thank you for reading this blogpost. We welcome any reaction, feedback or critics about this analysis. Please contact us on tdr[at]sekoia.io
Feel free to read other TDR analysis here :