The malicious entities orchestrating the CatDDoS malware botnet have exploited more than 80 known security vulnerabilities across various software platforms in the past quarter, commandeering susceptible devices into a botnet designed for distributed denial-of-service (DDoS) attacks.
“CatDDoS-affiliated collectives have leveraged a multitude of recognized vulnerabilities to disseminate their samples,” stated the QiAnXin XLab team. “Furthermore, the daily maximum number of targets has been observed to surpass 300+.”
The vulnerabilities affect routers, networking equipment, and other devices from manufacturers such as Apache (ActiveMQ, Hadoop, Log4j, and RocketMQ), Cacti, Cisco, D-Link, DrayTek, FreePBX, GitLab, Gocloud, Huawei, Jenkins, Linksys, Metabase, NETGEAR, Realtek, Seagate, SonicWall, Tenda, TOTOLINK, TP-Link, ZTE, and Zyxel, among others.
First identified by QiAnXin and NSFOCUS in late 2023, CatDDoS is described as a Mirai botnet variant capable of executing DDoS attacks utilizing UDP, TCP, and other methodologies.
The malware, which first appeared in August 2023, derives its name from feline-related references within its code strings such as “catddos.pirate” and “password_meow” used for command-and-control (C2) domains.
The primary targets of the malware are situated in China, followed by the United States, Japan, Singapore, France, Canada, the United Kingdom, Bulgaria, Germany, the Netherlands, and India, according to data shared by NSFOCUS as of October 2023.
Utilizing the ChaCha20 algorithm to encrypt communications with the C2 server, the malware also employs an OpenNIC domain for C2 to evade detection, a technique previously adopted by another Mirai-based DDoS botnet named Fodcha.
Interestingly, CatDDoS shares the same key/nonce pair for the ChaCha20 algorithm as three other DDoS botnets known as hailBot, VapeBot, and Woodman.
The XLab team noted that the attacks are primarily concentrated on countries such as the U.S., France, Germany, Brazil, and China, targeting sectors including cloud service providers, education, scientific research, information transmission, public administration, construction, and other industries.
It is speculated that the original developers of the malware ceased operations in December 2023, but not before selling the source code in a dedicated Telegram group.
“Due to the sale or leak of the source code, new variants have emerged, such as RebirthLTD, Komaru, Cecilio Network, etc. post-shutdown,” the researchers elaborated. “Although these variants may be operated by different groups, there is minimal variation in the code, communication design, strings, decryption methods, etc.”
Researchers Unveil DNSBomb
Simultaneously, revelations have surfaced regarding a formidable “pulsing” denial-of-service (PDoS) attack technique named DNSBomb (CVE-2024-33655). This method, as implied by its name, exploits DNS queries and responses to achieve an amplification factor of 20,000x.
At its core, the attack leverages legitimate DNS features such as query rate limits, query-response timeouts, query aggregation, and maximum response size settings to create synchronized floods of responses using a maliciously designed authority and a vulnerable recursive resolver.
“DNSBomb exploits multiple widely-implemented DNS mechanisms to amass DNS queries sent at a low rate, amplify queries into large-sized responses, and concentrate all DNS responses into a short, high-volume periodic pulsing burst to simultaneously overwhelm target systems,” explained Xiang Li, a Ph.D. candidate at Tsinghua University NISL Lab.
“The attack strategy involves IP-spoofing multiple DNS queries to a domain controlled by the attacker, then withholding responses to aggregate multiple replies. DNSBomb aims to inundate victims with periodic bursts of amplified traffic that are challenging to detect.”
These findings were presented at the 45th IEEE Symposium on Security and Privacy in San Francisco last week and previously at the GEEKCON 2023 event in Shanghai in October 2023.
The Internet Systems Consortium (ISC), which develops and maintains the BIND software suite, stated that BIND is not vulnerable to DNSBomb, adding that existing mitigations are sufficient to protect against the risks posed by the attack.
