====== Project DDoSia ======
[[https://ferhr-my.sharepoint.com/:v:/g/personal/mo760600010_fer_hr/EYGanvcES4BKuytKDp2SOEEBqEPYYqB1yR50wTaHvARXBA?nav=eyJyZWZlcnJhbEluZm8iOnsicmVmZXJyYWxBcHAiOiJTdHJlYW1XZWJBcHAiLCJyZWZlcnJhbFZpZXciOiJTaGFyZURpYWxvZy1MaW5rIiwicmVmZXJyYWxBcHBQbGF0Zm9ybSI6IldlYiIsInJlZmVycmFsTW9kZSI6InZpZXcifX0%3D&e=J9dvBi|Video presentation]]
===== Abstract =====
Project DDoSia is a bot software created by a pro-Russian group, NoName057(16).
It is used to create voluntary botnets that are used for performing DDoS
attacks. These attacks are targeted at European countries, predominantly
Ukraine. In order to incentivize participation, the authors of the software give
out rewards for the users who contribute the most to the attacks. This paper
explores the timeline of Project DDoSia, from how it was created to its
development and present state.
Keywords: DDoS, Cybersecurity, Bot, Botnet
===== Introduction =====
One of the most powerful and impactful cyberattacks to date is distributed
denial of service (DDoS) attacks. The reason for that is that there is no easy
way to fend off these attacks, even less so if the victim is not financially
capable enough to buy the hardware or services needed to filter the oncoming
malicious traffic. These attacks are performed by flooding the victim with
garbage traffic and therefore overloading the victim's devices. To generate the
amount of traffic needed to trigger the traffic overload, attackers construct
and use botnets. Botnets are a group of internet-connected computers that are
controlled by a person or organization called the botmaster. The botmaster
specifies the victim to which malicious traffic should be
sent. Botnets can span from a couple of devices to multiple hundreds of thousands
of devices. In order to create such expansive botnets, botmasters infect
vulnerable computers with the malware that allows them to give out commands to
the infected computers. This is a time-consuming process that need not result
in success. In order to accelerate the process, botmasters can employ other
malicious actors to do this job instead, for a certain amount of money. Project
DDoSia is a bot software that takes an interesting, different approach to
expanding its botnet by making the joining to the botnet entirely voluntary.
{{:racfor_wiki:seminari2024:botnet.png?400| Network structure of a botnet [6]}}
Figure 1: Network structure of a botnet [6]
===== Early versions =====
Project DDoSia has been "officially" announced by a pro-Russian group
NoName057(16) on September 15, 2022. The initial idea was for it to be a new
botnet alongside then larger "Bobik" botnet, which, in time, got taken down.
The group enticed people to join the Project DDoSia botnet by offering rewards
for ones who display the best performance. As of January 11, 2023, Project DDoSia
had around a thousand bots in its botnet.[2]
==== Recruitment ====
Project DDoSia is distributed by the social media platform "Telegram".
Volunteers are invited to the group, where they register in an automated manner
through a bot. If they are willing, volunteers can provide a crypto wallet
during registration, allowing them to receive the rewards if they carry out
enough attacks to be elligible for receiving a reward. After successful
registration, the bot gives the new member a DDosia.zip archive with the
executable. There is a version for all major platforms, that being Linux,
macOS and Windows.
{{:racfor_wiki:seminari2024:reward-messages.png?685|Messages in the Project DDoSia Telegram group regarding rewards}}
Figure 2: Messages in the Project DDoSia Telegram channel regarding rewards [1]
== Linux and macOS ==
The .zip archive contains a Python script, obfuscated in a rudimentary manner.
== Windows ==
The .zip archive contains an executable file created from the Python script that
is used for Linux and macOS. Other than that, the functionality of the client
is the same.
==== Client capabilities & communication ====
When executed, the Python script starts the client which starts talking to the
command and control server and identifies the user by sending the data stored
in the client_id.txt file, which is also located in the .zip archive. This
identification is used to identify users and measure how successful different
users are at partaking in the attacks, therefore making them eligible for
receiving a reward. In further communication, the C&C server sends a .json file
which contains a list of targets that should be attacked by the client, and in
what manner the traffic should be generated. Up to this point, the protocol
used to send the generated traffic is HTTP. The interesting part is that all the
communication with the C&C server is unencrypted and unauthenticated, meaning
that any device can listen in on the communication, and any device can initiate
communication with the C&C server, as long as they know its IP address.
The C&C server is a simple web server with two notable endpoints:\\
- hxxp://109.107.181[.]130:5001/client/get_targets\\
- hxxp://109.107.181[.]130:5001/set_attack_count
These endpoints are used for sending the .json file that contains the attack
victims to the bots and getting the performance of a particular bot,
respectively.
==== Botnet capabilities & targets ====
It is estimated that the botnet could produce around 900,000 requests per
minute, making its attacks a formidable event for small networks that are
not prepared for such developments. The targets of the botnet are similar to
those of the "Bobik" botnet, which was also used by the NoName057(16) group. A few of the
targets can be seen in the table below.
^ Website-URL ^ Company Type ^ Country ^
|accordbank.com.ua |Bank |Ukraine |
|www.i-unija.lt |Bank |Lithuania |
|nit.school |Education |Ukraine |
|auth.cdu.edu.ua |Education |Ukraine |
|www.hrx.fi |Logistics |Finland |
|crm.rmcargo.lt |Logistics |Lithuania |
|education.umj.com.ua |Education |Ukraine |
|www.sejm.gov.pl |Government |Poland |
|www.rs.gov.lv |Government |Latvia |
Table 1: Some of the targets of the Project DDoSia botnet [1]
Although capable, Project DDoSia botnet did not acquire a pristine attack
record. In fact, only around 13% of all the attacks were successful, meaning
that the target ceased to provide its services.[1]
===== Further development =====
In late 2022 a new version of the bot software was detected, this time written
in Go. The suspected reason for this change is the need for added performance in
generating the malicious traffic. The cross-platform availability is still
supported.
Regarding the C&C server changes, in order to begin communication with the C&C
server, authentication is required.
{{:racfor_wiki:seminari2024:C2-communication-workflow.png?|Communication flow between a bot and the C&C server.[2]}}
Figure 3: Communication flow between a bot and the C&C server [2]
Additionally, the .json file describing attack targets is now encrypted with
a symmetric key. Regarding architectural changes,
at this point the C&C server is located behind two proxy servers, in order to
better protect it by keeping its IP address secret.
{{:racfor_wiki:seminari2024:C2-Architecture.png?
|C&C server architecture of the newer version of Project DDoSia botnet.[2]}}
Figure 4: C&C server architecture of the newer version of Project DDoSia botnet [2]
In April 2023 the number of users in the Project DDoSia telegram group rose to
10,000 users. In March 2024, this number was approaching 20,000 users.[5] At the
time of writing of this paper, this number can be expected to be over 20,000
users.
[2]
==== Targets ====
With its growing capabilities and resources, the Project DDoSia botnet has
expanded the list of targets, adding and heavily targeting Finland and Italy
along Ukraine. The most prevalent targets are government organizations, followed
by banking and transportation organizations.
{{:racfor_wiki:seminari2024:ddosia-map.png?685
|A map of targeted countries by the Project DDoSia botnet in 2024.[5]}}
Figure 5: A map of targeted countries by the Project DDoSia botnet in 2024 [5]
===== Conclusion =====
Project DDoSia is a new approach to creating malicious botnets. With the
political turmoil that has started in Eastern Europe in the first half of 2022,
different opinions and ideas started arising. Project DDoSia uses this tense
political climate to recruit volunteers who join their devices to the botnet,
providing additional resources to generate malicious traffic. Along the
political motivation which seems prevalent, there is also a financial
motivation, since the users who provide the most value to the attacks are
eligible for receiving a reward that could equal one to two average
monthly salaries in the Russian Federation. Although this sum of money is not
small, the payouts are irregular and provided to only a handful of participants,
indicating that the primary motive would be political.
==== Literature ====
[1] [[https://decoded.avast.io/martinchlumecky/ddosia-project/ |Martin Chlumecký: "DDosia Project: Volunteers Carrying out NoName(057)16’s DirtyWork"]]. Accessed: 17.1.2025.
[2] [[https://decoded.avast.io/martinchlumecky/ddosia-project-how-noname05716-is-trying-to-improve-the-efficiency-of-ddos-attacks/ |Martin Chlumecký: "DDosia Project: How NoName057(16) is trying to improve the efficiency of DDoS attacks"]]. Accessed: 17.1.2025.
[3] [[https://socradar.io/what-is-ddosia-project/ |SOCRadar: "What is DDoSia Project?"]]. Accessed: 17.1.2025.
[4] [[https://blog.sekoia.io/following-noname05716-ddosia-projects-targets/ |Amaury G., Charles M. and Sekoia TDR: "Following NoName057(16) DDoSia Project’s Targets"]]. Accessed: 17.1.2025.
[5] [[https://blog.sekoia.io/Noname05716-Ddosia-project-2024-updates-and-behavioural-shifts/ |Sekoia TDR, Amaury G. and Maxime A.: "NoName057(16)’s DDoSia project: 2024 updates and behavioural shifts"]]. Accessed: 17.1.2025.
[6] Mahmoud, Muhammad, Manjinder Nir, and Ashraf Matrawy. "A survey on botnet architectures, detection and defences." Int. J. Netw. Secur. 17.3 (2015): 264-281.