A fast-growing botnet is enslaving routers, DVRs, and servers across the Internet to launch distributed denial-of-service (DDoS) attacks on over 100 victims per day. Between March 29 and April 10, this newly found malware, dubbed Fodcha by researchers at Qihoo 360’s Network Security Research Lab (360 Netlab), infected almost 62,000 devices.
The number of unique IP addresses linked to the botnet fluctuates as well, with 360 Netlab tracking a 10,000-strong Fodcha army of bots employing Chinese IP addresses every day, with the majority of them using China Unicom (59.9%) and China Telecom (39.4%) services. The Fodcha invades new devices by exploiting n-day vulnerabilities in many devices and employing the Crazyfia brute-force cracking tool.
The Fodcha botnet targets a variety of devices and services, including but not limited to:
- Android: Android ADB Debug Server RCE
- GitLab: CVE-2021-22205
- LILIN DVR: LILIN DVR RCE
- Realtek Jungle SDK: CVE-2021-35394
- ZHONE Router: ZHONE Router Web RCE
- TOTOLINK Routers: TOTOLINK Routers Backdoor
- MVPower DVR: JAWS Webserver unauthenticated shell command execution
After successfully acquiring access to susceptible Internet-exposed devices samples, Fodcha operators use Crazyfia scan findings to deliver malware payload. According to 360 Netlab, the botnet samples target MIPS, ARM, x86, MPSL, and other CPU architectures. The botnet used the folded[.]in command-and-control (C2) domain from January 2022 until March 19, when it moved to fridgexperts[.]cc when the cloud vendor shut down the first C2 domain.
“The shift from v1 to v2 is due to the fact that the C2 servers corresponding to the v1 version were shutdown by a their cloud vendor, so Fodcha’s operators had no choice but to re-launch v2 and update C2,” said the researchers. “The new C2 is mapped to more than a dozen IPs and is distributed across multiple countries including the US, Korea, Japan, and India, it involves more cloud providers such as Amazon, DediPath, DigitalOcean, Linode, and many others.”
You’ll discover further information on how the botnet functions and indicators of compromise at the 360 Netlab report’s end.