Qihoo 360 researchers have discovered a brand new gargantuan botnet capable of launching more than 100 attacks every day.
The threat actor targets devices such as routers, DVRs and servers with malware known as Fodcha. In less than a month, the researchers found, the threat actors managed to infect more than 62,000 devices with the Fodcha malware.
At any one time, around 10,000 devices are being used to launch Distributed Denial of Service (DDoS) attacks, using the services of China Unicom (59%) and China Telecom (39%).
Target hundreds of victims daily
“Based on direct data from the security community we worked with, the number of daily live bots is over 56,000,” the researchers reportedly said. “The global infection seems quite large because in China alone there are over 10,000 daily active bots (IPs) and also over 100 DDoS victims targeted daily.”
To compromise endpoints, attackers use a host of exploits that exploit n-day vulnerabilities in devices and services, including Android ADB Debug Server RCE, Realtek Jungle SDK, TOTOLINK routers, ZHONE routers, and others.
Additionally, the botnet targets MIPS, MPSL, ARM, x86, and other CPU architectures.
The initial domain used for command and control (C2), folded[.]in, was closed by the seller on March 19, the researchers added. After that, threat actors migrated to fridgexperts[.]CC.
“The switch from v1 to v2 is due to the fact that the C2 servers corresponding to the v1 version were stopped by their cloud provider, so the Fodcha operators had no choice but to relaunch the v2 and to update C2,” the researchers said.
“The new C2 is mapped to more than a dozen IP addresses and is distributed in multiple countries including the United States, Korea, Japan and India, it involves more cloud providers such as Amazon , DediPath, DigitalOcean, Linode and many more.”