CatDDoS Exploiting 80+ Vulnerabilities, Attacking 300+ Targets Daily

Malicious traffic floods targeted systems, servers, or networks in Distributed Denial of Service (DDoS) attacks are actively exploited by hackers. 

Sometimes, DDoS attacks are used as a distraction from other criminal activities, for extortion, to gain a competitive advantage, or for ideological reasons. 

If resources are crushed by false requests originating from different compromised devices simultaneously, attackers can effectively lock out genuine users from the affected platform.

Cybersecurity researchers at XLab recently discovered that CatDDoS has been actively exploiting over 80 vulnerabilities and attacking more than 300 targets daily.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

Technical Analysis

With recent observations, XLab’s CTIA system has been closely monitoring very active DDoS botnets that have always been prolific and persistent threats posed by CatDDoS-related syndicates. 

These actors have taken advantage of over 80 campaign vulnerabilities during the last three months. 

Even more disturbing is that the maximum number of targets in one day exceeded 300, illustrating the scale and gravity of these DDoS attacks. 

According to XLab’s data, over the past three months, more than 80 known vulnerabilities have been exploited by CatDDoS-affiliated groups. 

Using “Cacti-n0day” and “skylab0day” as parameter names indicates they may use 0-day exploits. 

Historic data shows that these actors target victims globally, mostly in the US, France, Germany, Brazil, and China, in the cloud services, education, research, telecommunications, public administration, and construction sectors.

These prolific DDoS botnet operators remain a persistent threat due to the wide distribution and exploitation of numerous vulnerabilities.

The CatDDoS botnet, a Mirai variant known by its cat-related nickname, launched multiple 60-second DDoS attacks on Shanghai Network Technology Co., LTD. tagged as “atk_0” after 9 PM of April 7th, 2024.

According to reports, it closed down in December 2023 after a source code leak, but other versions, such as RebirthLTD and Komaru, appeared immediately that exploited the compromised codebase.

These variants had many similarities in code, communication design, and decryption methods even though they were operated by different groups, collectively called “CatDDoS-related gangs.”

OpenNIC domains were used by active variants “v-2.0.4” and “v-Rebirth,” which utilized chacha20 encryption, respectively.

In general, changes from the original mostly focused on obfuscation techniques, such as removing symbols or modifying shells, to hinder analysis.

The v-snow_slide variant, believed to have been created by the defunct Aterna group, retained some Fodcha code commonalities specifically in its output “snow slide,” tea encryption, OpenNIC C2 domains, and shared communication protocols.

Interestingly enough it utilized taunts such as “N3tL4b360G4y” which targeted security firms during C2 check-ins.

Researchers also found instances of “template sharing” across groups involving reusing similar malware source code with slight modifications, an everyday IoT botnet activity that resulted in code homology. 

At least three other families used the CatDDoS’ chacha20 algorithm with the same key. 

Besides this, other variants’ C2 infrastructure was used as DDoS targets, pointing to deadly conflicts among operators competing for resources, which are consistent features of the IoT botnet landscape.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers