A Russian malware author is using codified tweets to start and stop DDoS attacks against desired targets.
The DDoS attacks are launched from the computers of infected users using a peculiar piece of malware, which the attacker is spreading via a booby-trapped file named "driversUpdate.exe."
According to a technical analysis provided by MalwareHunter to Bleeping Computer, this new DDoS bot works by querying a Twitter account hard-coded in the malware's source code, at a predetermined time interval.
Once the malware detects a new tweet, it acts on the command it discovers there. The malware supports the following commands:
wakeup - tells bots to visit an IP address logger, used to record the IP addresses of all bots and determine the size of the botnet target - starts a DDoS attack against the provided target stop - stops the DDoS attack dexe - downloads and executes a file exe - executes CLI commands dl - downloads a file, but checks if it already exists, beforehand df - downloads a file without checking if the file exists
Based on an analysis of the malware's source code and the way the author has structured his DDoS botnet, it is our opinion that the individual behind this threat does not have any previous experience in malware coding.
The quality of the code lacks sophistication and sometimes takes the long road in executing basic tasks, such as, for example, starting the DDoS attack.
Just for this simple action, the malware creates a Windows form, which it then hides from the user, and simulates a user click on the "Start" button. Below is an image of the hidden form.
Furthermore, the entire botnet is prone to fail. Because the malware comes with a hard-coded Twitter account from where it reads instructions, once Twitter takes down that profile, all the attacker's bots are orphaned. The attacker wouldn't be able to reclaim his bots and will have to build another botnet from scratch.
Based on the tweets found in the current Twitter account used as C&C server, until now, the botnet has been used to launch short-lived DDoS attacks against Russian IP addresses.
As MalwareHunter told Bleeping Computer, this doesn't mean the malware author didn't hit other targets, as he could have very easily deleted tweets.
This particular Twitter account was registered in February 2017, it first tweeted on February 19, and is still active at the time of writing.
In addition, Russian words in many tweets and error messages in the DDoS bot's source code allude that the crook is a Russian speaker, with one error message spelling "Мало инфы для формирования пакета," Russian for "Not enough information to form a packet."
The size of this botnet is unknown, but taking into account the various mistakes the malware author made, we don't believe this is any threat to anyone.
SHA256 hash: 44fde1362b20bf47e171c80dc627095bd719e8130eb65766f2efe27368d1c4f5