The threat actors behind the CatDDoS malware botnet have exploited over 80 known security flaws in various software over the past three months to infiltrate vulnerable devices and co-opt them into a botnet for conducting distributed denial-of-service (DDoS) attacks.
"CatDDoS-related gangs' samples have used a large number of known vulnerabilities to deliver samples," the QiAnXin XLab team said. "Additionally, the maximum number of targets has been observed to exceed 300+ per day."
The flaws impact routers, networking gear, and other devices from vendors such as Apache (ActiveMQ, Hadoop, Log4j, and RocketMQ), Cacti, Cisco, D-Link, DrayTek, FreePBX, GitLab, Gocloud, Huawei, Jenkins, Linksys, Metabase, NETGEAR, Realtek, Seagate, SonicWall, Tenda, TOTOLINK, TP-Link, ZTE, and Zyxel, among others.
CatDDoS was previously documented by QiAnXin and NSFOCUS in late 2023, describing it as a Mirai botnet variant capable of performing DDoS attacks using UDP, TCP, and other methods.
First emerged in the wild in August 2023, the malware gets its name owing to cat-related references such as "catddos.pirate" and "password_meow" in the artifact source code and the command-and-control (C2) domain names.
A majority of the attack targets of the malware are located in China, followed by the U.S., Japan, Singapore, France, Canada, the U.K., Bulgaria, Germany, the Netherlands, and India, according to information shared by NSFOCUS as of October 2023.
Besides using the ChaCha20 algorithm to encrypt communications with the C2 server, it makes use of an OpenNIC domain for C2 in an attempt to evade detection, a technique previously adopted by another Mirai-based DDoS botnet called Fodcha.
In an interesting twist, CatDDoS also shares the same key/nonce pair for the ChaCha20 algorithm as three other DDoS botnets named hailBot, VapeBot, and Woodman.
XLab said the attacks are primarily focused on countries such as the U.S., France, Germany, Brazil, and China, spanning cloud service providers, education, scientific research, information transmission, public administration, construction, and other industries.
It's suspected that the original authors behind the malware shut down their operations in December 2023, but not before putting up the source code for sale in a dedicated Telegram group.
"Due to the sale or leak of the source code, new variants emerged, such as RebirthLTD, Komaru, Cecilio Network, etc. after the shutdown," the researchers said. "Although the different variants may be managed by different groups, there is little variation in the code, communication design, strings, decryption methods, etc."
Researchers Demonstrate DNSBomb
The disclosure comes as details have emerged about a practical and potent "pulsing" denial-of-service (PDoS) attack technique dubbed DNSBomb (CVE-2024-33655) that, as the name implies, exploits the Domain Name System (DNS) queries and responses to achieve an amplification factor of 20,000x.
The attack, at its core, capitalizes on legitimate DNS features such as query rate limits, query-response timeouts, query aggregation, and maximum response size settings to create timed floods of responses using a maliciously designed authority and a vulnerable recursive resolver.
"DNSBomb exploits multiple widely-implemented DNS mechanisms to accumulate DNS queries that are sent at a low rate, amplify queries into large-sized responses, and concentrate all DNS responses into a short, high-volume periodic pulsing burst to simultaneously overwhelm target systems," Xiang Li, a Ph.D. candidate at the Tsinghua University NISL Lab, said.
"The attack strategy involves IP-spoofing multiple DNS queries to a domain controlled by the attacker, then withholding responses to aggregate multiple replies. DNSBomb aims to overwhelm victims with periodic bursts of amplified traffic that are challenging to detect."
The findings were presented at the 45th IEEE Symposium on Security and Privacy held in San Francisco last week and previously at the GEEKCON 2023 event that took place in Shanghai in October 2023.
The Internet Systems Consortium (ISC), which develops and maintains the BIND software suite, said it's not vulnerable to DNSBomb, adding that the existing mitigations are enough to safeguard against risks posed by the attack.