Nach über einer Woche haben wir jetzt tatsächlich Infos bekommen, die im Falle des Falles sicher Zeit gespart hätten, wenn wir sie vorher gehabt hätten. Da ist auch nichts geheimes oder neues dran:

#noname5716 #ddos #ddosia

https://www.sentinelone.com/labs/noname05716-the-pro-russian-hacktivist-group-targeting-nato/
https://decoded.avast.io/martinchlumecky/ddosia-project/

Day 5️⃣8️⃣ of #100DaysofYARA: I was stoked this morning when I got a hit from the machO tag in MalwareBazzar 🎉 https://twitter.com/geenensp uploaded some samples of the ddosia/GoStresser botnet client which is a Go app that users self-infect (??) for the cause. Writing a signature is pretty easy using to Go package/struct names, file names, and a regex pattern the app uses so with that down, what else is interesting in here? 🤔

The most fun part is the main.BackendLink global which embeds the C2 servers IP address of 94[.]140[.]115[.]129 - using this we can see the C2 server is still online, pull it's targeting list and checkout who's next.

If you need yet another reason to detect unexpected VPN clients, add Surfshark 🦈 to the list - the botnet operators specifically call it out before joining their network clients should enable it (see https://web.archive.org/web/20221013185306/https://dddosia.github.io/).

YARA: https://github.com/shellcromancer/DaysOfYARA-2023/blob/main/shellcromancer/mal_ddosia.yar

#ddosia #go_stresser #IOC

📬 DDOSIA: Hacker bezahlen Hacker für mehr Feuerkraft
#Hacking #Botnetz #DDosAngriffe #DDOSIA #dosiaexe #Killnet #Telegram #UkraineKrieg https://tarnkappe.info/artikel/hacking/ddosia-hacker-bezahlen-hacker-fuer-mehr-feuerkraft-257863.html