A Russian malware author is using codified tweets to start and stop DDoS attacks against desired targets.

The DDoS attacks are launched from the computers of infected users using a peculiar piece of malware, which the attacker is spreading via a booby-trapped file named "driversUpdate.exe."

New DDoS bot controlled using tweets

According to a technical analysis provided by MalwareHunter to Bleeping Computer, this new DDoS bot works by querying a Twitter account hard-coded in the malware's source code, at a predetermined time interval.

Once the malware detects a new tweet, it acts on the command it discovers there. The malware supports the following commands:

wakeup - tells bots to visit an IP address logger, used to record the IP addresses of all bots and determine the size of the botnet
target - starts a DDoS attack against the provided target
stop - stops the DDoS attack
dexe - downloads and executes a file
exe - executes CLI commands
dl - downloads a file, but checks if it already exists, beforehand
df - downloads a file without checking if the file exists
DDoS bot commands [source code reference]

DDoS bot commands

DDoS bot commands

Work of a noob

Based on an analysis of the malware's source code and the way the author has structured his DDoS botnet, it is our opinion that the individual behind this threat does not have any previous experience in malware coding.

The quality of the code lacks sophistication and sometimes takes the long road in executing basic tasks, such as, for example, starting the DDoS attack.

Just for this simple action, the malware creates a Windows form, which it then hides from the user, and simulates a user click on the "Start" button. Below is an image of the hidden form.

Windows form used to launch DDoS attacks from infected PCs
Windows form used to launch DDoS attacks from infected PCs

Furthermore, the entire botnet is prone to fail. Because the malware comes with a hard-coded Twitter account from where it reads instructions, once Twitter takes down that profile, all the attacker's bots are orphaned. The attacker wouldn't be able to reclaim his bots and will have to build another botnet from scratch.

Malware author may be Russian

Based on the tweets found in the current Twitter account used as C&C server, until now, the botnet has been used to launch short-lived DDoS attacks against Russian IP addresses.

As MalwareHunter told Bleeping Computer, this doesn't mean the malware author didn't hit other targets, as he could have very easily deleted tweets.

This particular Twitter account was registered in February 2017, it first tweeted on February 19, and is still active at the time of writing.

Commands sent out as tweets
Commands sent out as tweets

In addition, Russian words in many tweets and error messages in the DDoS bot's source code allude that the crook is a Russian speaker, with one error message spelling "Мало инфы для формирования пакета," Russian for "Not enough information to form a packet."

Error message assembled character-by-character using Cyrillic letters
Error message assembled character-by-character using Cyrillic letters

The size of this botnet is unknown, but taking into account the various mistakes the malware author made, we don't believe this is any threat to anyone.

SHA256 hash: 44fde1362b20bf47e171c80dc627095bd719e8130eb65766f2efe27368d1c4f5