MDBotnet DDoS

New MDBotnet Unleashes DDoS Attacks

Russian Hacktivists Peddling DDoS-As-A-Service in Cyber-Crime Forum

Cyble Research and Intelligence Labs (CRIL) recently uncovered a new strain of malware named “MDBotnet” on a cybercrime forum. Our analysis indicates that the origins of this malware can be attributed to a Threat Actor (TA) associated with Russia. This MDBotnet malware has been specifically designed for carrying out distributed denial-of-service (DDoS) attacks on targeted victims by employing an HTTP/SYN flood attack technique.

A DDoS attack is a malicious attempt to disrupt the normal functioning of a computer network, service, or website by overwhelming it with a flood of internet traffic or requests. The primary objective of a DDoS attack is to disrupt the target’s operations, cause financial loss, or damage its reputation.

The price mentioned for the MDBotnet service is 2,500₽ (Russian Rubles) with a lifetime access offer. Additionally, the advertisement provides detailed information about the features included in the MDBotnet service.

The figure below illustrates the MDBotnet advertisement by the TA on a cybercrime forum.

Figure 1 – TA’s advertisement about MDBotnet on a DW forum

Technical Analysis

MDBotnet

We have taken the below sample hash for this analysis: (SHA256), ae582545c3196afa5ac6419db9d57b11633e8282f29e3cd48fe31b9dd250a963, which is a GUI-based 32-bit executable written in .NET compiler, as shown below.

Figure 2 – Static file details

The main function of the MDBotnet executable, named “SlavaRussia.exe,” is responsible for performing the malicious activities depicted in the figure below.

Figure 3 – MDBotnet main function

Upon execution, the MDBotnet executable file carries out the following actions:

  • To begin with, the malware establishes a TCP socket connection to a server by providing the server’s IP address (212[.]109[.]199[.]128) and port number (4202) obtained from the “Config” class shown in the figure below.
Figure 4 – MDBotnet config class

  • Next, the malware retrieves the path of the %appdata% folder and verifies the presence of a specific file named “Updater.exe” within that directory. If the file is not found, it sends a “GET_UPDATER” message to the server and proceeds to invoke the GetUpdater method from the Update class (Update.GetUpdater) to download the “Updater.exe” from the server. The “Updater.exe” file is responsible for downloading the most recent version of the MDBotnet executable (“svhost.exe”) from the server.
Figure 5 – GetUpdater() method

  • Subsequently, the malware verifies whether the executing assembly is located at %appdata%\svhost.exe. If not, the malware proceeds to invoke the Start method of the Update class (Update.Start), triggering the execution of the “Updater.exe”, which downloads “svhost.exe” from C&C and drops it in the %appdata% directory.
Figure 6 – Execution of MDBotnetUpdater

The figure below shows the presence of downloaded files in the %appdata% directory by the malware.

Figure 7 – Downloaded files in the AppData folder

  • Persistence: Then, the botnet creates a registry key that ensures the “svhost.exe” runs automatically during startup, as shown below.
Figure 8 – Persistence

  • Finally, the malware enters into an infinite loop where it receives data from the server and performs actions based on the received commands.
    • If the “UPDATE” command is received, it calls the Start method of the Update class to execute the “Updater.exe”, which downloads the latest “svhost.exe” from the remote server.
    • If the “HTTP_GET” command is received, it calls the Start method of the HTTPGetAttack class, passing the argument (URL) extracted from the command sent by the C&C server.

HTTPGetAttack

The primary objective of the HTTPGetAttack class is to carry out a distributed denial-of-service (DDoS) attack by sending repetitive HTTP GET requests to a designated URL. The Start method initiates a new thread responsible for executing the attack (HTTPGetAttack.Start). In contrast, the HTTPAttack method continually generates additional threads to send the HTTP GET requests (HTTPGetAttack.HTTPAttack), as shown in the below figure.

Figure 9 – HttpGetAttack class to perform DDoS attack

SYNAttack

MDBotnet malware can launch a SYN flood attack, also called a “SYNAttack”. This type of cyber-attack focuses on exploiting the Transmission Control Protocol (TCP) handshake process used for establishing network connections between devices. The objective of a SYN attack is to flood the targeted system with an excessive number of connection requests, leading to system overload, unresponsiveness, or even a complete crash.

It’s worth noting that in the analyzed sample, the utilization of the SYNAttack class may have been disabled during the creation of the executable binary. The below figure shows the assembly code of SYNAttack class.

Figure 10 – SYNAttack class

MDBotnetUpdater (Updater.exe)

The main purpose of the “Updater.exe” file is to download the most recent version of the MDBotnet executable (svhost.exe) from the remote server.

The code begins by sleeping for 2000 milliseconds (2 seconds) using the Thread.Sleep method. Then, the malware establishes a connection to the server using the Connect method, providing the server’s IP address and port obtained from the “Config” class.

After that, the MDBotnetUpdater sends the string “UPDATE_CONFIRM” to the server and downloads the latest MDBotnet executable named “svhost.exe”.

Finally, the malware executes the newly downloaded file using Process.Start(), and the current process is terminated using Process.GetCurrentProcess().Kill().

The MDBotnetUpdater (Updater.exe) code snippet is illustrated in the figure below.

Figure 11 – MDBotnetUpdater main function

Conclusion

Underground forums enable cybercriminals to easily acquire malware and additional services, allowing them to engage in financial fraud, cause disruption, or inflict damage on victims without needing extensive technical expertise. The availability of malware bots and related services has significantly heightened the vulnerability of individuals and organizations to cyber-attacks, including DDoS attacks.

Currently, the TAs responsible for MDBotnet are actively involved but with limited functionalities. Although the code for the SYN flood attack is present in the malware, it remains inactive, indicating that the malware is still in development. This implies that upcoming versions of MDBotnet might feature enhanced utilization of various DDoS techniques, encompassing a broader range of attack methods.

CRIL will continue to monitor MDBotnet developments and keep our readers aware and informed.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

  • Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, torrent sites, etc., mainly contains such malware.
  • Use strong passwords and enforce multi-factor authentication wherever possible. 
  • Update and upgrade your computer, mobile, and other connected devices.
  • Refrain from opening untrusted links and email attachments without first verifying their authenticity. 
  • Educate employees on protecting themselves from threats like phishing/untrusted URLs.
  • Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs.
  • Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.

MITRE ATT&CK® Techniques

Tactic Technique ID Technique Name 
Execution T1204 User Execution
PersistenceT1547Registry Run Keys / Startup Folder
Defense EvasionT1497Masquerading
Discovery   T1057
T1012
T1083
Process Discovery
Query Registry
File and Directory Discovery
Command and
Control
T1105
T1571
Ingress Tool Transfer
Non-Standard Port

Indicators Of Compromise

IndicatorsIndicator TypeDescription
46a3d4f752c48faa8b615d58d6160f25
c0b83405c5c9e238c2cd3bc0fc2def2a3901c966
ae582545c3196afa5ac6419db9d57b11633e8282f29e3cd48fe31b9dd250a963
MD5
SHA1
SHA256
SlavaRussia.exe (MDBotnet)
4a6cb489c4efaffebd4dba83af747c76
24e6fc552344533c4723638e3f3368a57d705012
5057465f9b1ddcd2548bea636a85c0a6c8165aab05b8613fd32dfc8b354fbf35
MD5
SHA1
SHA256
MDBotnet.exe (svhost.exe)
32763009fd26a7190941e502fc2411c4
bfd7a44a627a4a0ce372da9d8d4baa080aa928fa
d5a7efbb50fee2d47c447a0981fc2cea6fc56ed2251e81271b90ef829a0f4c8c
MD5
SHA1
SHA256
MDBotnetUpdater (Updater.exe)
212[.]109[.]199[.]128:4202IP: PortC&C

Scroll to Top