The Fodcha DDoS botnet resurfaces on the cybercriminal landscape with new capabilities that pose threats to all its targets. According to reports, the botnet has upgraded its communication protocol and includes a new ability to extort cryptocurrency payments from victims.
Researchers spotted the Fodcha botnet for the first time last April, spreading through known Android vulnerabilities and IoT devices, alongside weak SSH and Telnet passwords. Since then, the botnet has evolved into a large-scale DDoS payload holding more than 60K active nodes and 40 C2 domains capable of generating over 1Tbps traffic against its targeted sites.
On October 11, researchers detected a peak activity from the Fodcha DDoS botnet targeting 1,396 devices in one day.
The botnet’s top targeted countries since June of this year were China, Singapore, Japan, France, Canada, Germany, Russia, the US, the UK, and the Netherlands. Meanwhile, Fodcha has attacked sectors under healthcare, law enforcement agencies, and cloud service providers.
Furthermore, the botnet has employed new stealth features that allow it to encrypt communications with its C2 server and embed ransom demands from its victims. Experts believe that these new capabilities make the Fodcha botnet a potent threat to its targets.
It was also discovered that Fodcha had reused numerous attack codes previously utilised by the Mirai botnet and supported about 17 attack methods it can launch against victims’ devices. Researchers were also able to highlight the new threats of this botnet after seeing a growth in abuse of the Connectionless Lightweight Directory Access Protocol (CLDAP), magnifying the DDoS attacks’ scale.
Over 12,000 open CLDAP reflectors were discovered, with most distributed in Brazil and the US, while the rest is towards India, Mexico, and Germany.
On the other hand, Fodcha is profiting from renting its firepower to other cybercriminals launching DDoS attacks on their targets. In its attack campaigns, the botnet’s latest version extorts 10 XMR/Monero cryptocurrency (approximately $1,500) from the victims to stop the DDoS attacks on their compromised servers.
Monero being a privacy coin, researchers will have a hard time tracing the transactions.
