Day 5️⃣8️⃣ of #100DaysofYARA: I was stoked this morning when I got a hit from the machO tag in MalwareBazzar 🎉 https://twitter.com/geenensp uploaded some samples of the ddosia/GoStresser botnet client which is a Go app that users self-infect (??) for the cause. Writing a signature is pretty easy using to Go package/struct names, file names, and a regex pattern the app uses so with that down, what else is interesting in here? 🤔

The most fun part is the main.BackendLink global which embeds the C2 servers IP address of 94[.]140[.]115[.]129 - using this we can see the C2 server is still online, pull it's targeting list and checkout who's next.

If you need yet another reason to detect unexpected VPN clients, add Surfshark 🦈 to the list - the botnet operators specifically call it out before joining their network clients should enable it (see https://web.archive.org/web/20221013185306/https://dddosia.github.io/).

YARA: https://github.com/shellcromancer/DaysOfYARA-2023/blob/main/shellcromancer/mal_ddosia.yar

#ddosia #go_stresser #IOC