Every day, the Fodcha DDoS botnet hits over 100 victims

Every day, a rapidly expanding botnet ensnares routers, DVRs, and servers across the Internet to target more than 100 victims in distributed denial-of-service (DDoS) attacks.

Between March 29 and April 10, this newly found malware, dubbed Fodcha by researchers at Qihoo 360's Network Security Research Lab (360 Netlab), infected almost 62,000 computers.

The number of unique IP addresses associated with the botnet fluctuates as well, with 360 Netlab reporting that they are tracking a 10,000-strong Fodcha army of bots using Chinese IP addresses every day, with the majority of them using the services of China Unicom (59.9 per cent) and China Telecom (59.9 per cent) (39.4 per cent).

"Based on firsthand data from the security community with which we collaborated, the number of daily live bots exceeds 56000," Netlab claimed.

"The global infection appears to be very large, with more than 10,000 daily active bots (IPs) and more than 100 DDoS victims being attacked on a daily basis solely in China."

Live bots with Chinese IP addresses on a daily basis (Netlab)

Exploits and brute-force attacks are used to spread the virus

The Fodcha infects new devices by exploiting n-day vulnerabilities in various devices and a brute-force cracking programme is known as Crazyfia.

The Fodcha botnet targets, among other things, the following devices and services:

• Android: Android ADB Debug Server RCE
• GitLab: CVE-2021-22205
• Realtek Jungle SDK: CVE-2021-35394
• MVPower DVR: JAWS Webserver unauthenticated shell command execution
• LILIN DVR: LILIN DVR RCE
• TOTOLINK Routers: TOTOLINK Routers Backdoor
• ZHONE Router: ZHONE Router Web RCE

After successfully acquiring access to susceptible Internet-exposed devices samples, Fodcha operators use Crazyfia scan results to deploy malware payload. According to 360 Netlab, the botnet samples target MIPS, MPSL, ARM, x86, and other CPU architectures.

The botnet had been utilising the folded[.]in command-and-control (C2) domain since January 2022, until March 19, when it switched to fridgexperts[.]cc when the cloud vendor took down the initial C2 domain.

Fodcha C2 domain switch (Netlab)

"The switch from v1 to v2 is owing to the fact that their cloud vendor shut down the C2 servers corresponding to the v1 version, so Fodcha's operators had no alternative but to re-launch v2 and upgrade C2," the researchers found.

"The new C2 is mapped to more than a dozen IP addresses and is scattered throughout numerous countries, including the United States, Korea, Japan, and India; it includes more cloud providers, including Amazon, DediPath, DigitalOcean, Linode, and many others."

Further information on how the botnet works and indicators of compromise may be found towards the end of the 360 Netlab study.