CatDDoS Botnet
Researchers analyzing the more active mainstream DDoS botnets have reported a surge in the attack operation of CatDDoS-related cybergangs. In the course of their investigation, the experts managed to confirm that the cybercriminals have exploited over 80 vulnerabilities to compromise targeted devices in the span of just three months. Additionally, the maximum number of targets has been observed to exceed 300+ per day. The goal of the attackers is to infiltrate the vulnerable devices and hijack them into becoming part of a botnet for carrying out distributed denial-of-service (DDoS) attacks.
Table of Contents
Cybercriminals Abuse Numerous Vulnerabilities to Deliver the CatDDoS Botnet
These vulnerabilities impact a wide range of devices including routers, networking equipment, and other hardware supplied by various vendors like Apache (ActiveMQ, Hadoop, Log4j, and RocketMQ), Cacti, Cisco, D-Link, DrayTek, FreePBX, GitLab, Gocloud, Huawei, Jenkins, Linksys, Metabase, NETGEAR, Realtek, Seagate, SonicWall, Tenda, TOTOLINK, TP-Link, ZTE, Zyxel and others. Researchers have pointed out that certain vulnerabilities remain unidentified, possibly being 0-day vulnerabilities under specific conditions.
CatDDoS Is Based on the Infamous Mirai Botnet
CatDDoS is itself a variant of Mirai since its inception. It derives its name from the inclusion of 'cat' and 'meow' in early domain names and samples, indicating an affinity towards feline themes by its creator. Initially surfacing in August 2023, recent iterations of CatDDoS exhibit minimal alterations in communication methods compared to its earlier versions.
There's speculation among researchers that CatDDoS might have been shut down late last year. Nevertheless, the threat's source code was either sold by its creators or leaked independently. Consequently, new iterations like RebirthLTD, Komaru, Cecilio Network, among others, have emerged as a result.
Several Cybercriminal Groups Have Created Their Own CatDDoS Botnet Variants
While various groups may oversee different iterations of the CatDDoS Botnet, there's minimal divergence in code structure, communication protocols, string patterns, decryption methodologies, and other aspects. Consequently, researchers have consolidated these variants into a unified cluster known as the CatDDoS-related gangs.
Among the more recent active variants are v-2.0.4 (CatDDoS) and v-Rebirth (RebirthLTD), both employing chacha20 encryption for data transmission, with identical keys and nonces. The discrepancy lies in v-2.0.4's utilization of the OpenNIC domain as its Command-and-Control (C2) domain name. While RebirthLTD initially utilized Mirai's original code, it later transitioned to CatDDoS's codebase and is undergoing frequent updates.
In essence, the CatDDoS-related samples have undergone minimal alterations compared to earlier versions. Some minor adjustments have been implemented to enhance the complexity of reverse engineering. Thus, the consensus is that while changes exist, they are relatively limited.
A Diverse Set of Targets Observed in the CatDDoS Botnet Attack Operations
As of October 2023, the majority of targets hit by the malware were situated in China, followed by the U.S., Japan, Singapore, France, Canada, the U.K., Bulgaria, Germany, the Netherlands, and India.
Since then, researchers have observed a shift in focus towards countries such as the U.S., France, Germany, Brazil, and China. The targets span various industries, including cloud service providers, education, scientific research, information transmission, public administration, and construction.
Notably, in addition to employing the ChaCha20 algorithm for encrypting communications with the C2 server, the malware utilizes an OpenNIC domain for C2, a tactic previously utilized by another Mirai-based DDoS botnet known as Fodcha. Intriguingly, CatDDoS shares the same key/nonce pair for the ChaCha20 algorithm with three other DDoS botnets named hailBot, VapeBot, and Woodman.
