Fodcha Botnet

Fodcha Botnet Description

A new botnet named Fodcha is rapidly growing, by incorporating vulnerable devices into its army of bots. The operators of the botnet have used it to launch DDoS (Distributed Denial-of-Service) attacks against more than a hundred victims each day. The activities of the threat were identified by the researchers at Qihoo 360's Network Security Research Lab (360 Netlab) and, according to their estimates, Fodcha has spread to over 62, 000 devices for the period between March 29 and April 10, 2022.

Fodcha relies on N-day vulnerabilities, as well as brute-force tactics to compromise its targeted devices, which include routers, DVRs and servers. More specifically, some of the models that the botnet is aimed at are Realtek Jungle SDK, MVPower DVR, LILIN DVR, TOTOLINK, ZHONE routers and others. The targeted architectures include MIPS, MPSL, ARM, x86 and more. For its brute-force attempts, Fodcha utilizes a cracking tool known as Crazyfia.

It should be noted that the operators of the Fodcha botnet were forced to switch their Command-and-Control (C2, C&C) servers after their initial cloud vendor took them down. The second infrastructure operates out of the fridgexperts[.]cc and is mapped to over 12 IPs. Furthermore, it is distributed among several countries across the world including Korea, Japan, India and the US. To avoid a similar outcome as the first iteration, the threat actors are using more cloud providers such as Amazon, DigitalOCean, Linode, DediPath and more.