The threat actors behind the CatDDoS malware botnet have exploited over 80 known security flaws in various software over the past three months to infiltrate vulnerable devices and co-opt them into a botnet for conducting distributed denial-of-service (DDoS) attacks. According to the QiAnXin XLab team, CatDDoS-related gangs have used a large number of these vulnerabilities to deliver malicious samples, with the maximum number of targets exceeding 300 per day.
The vulnerabilities impact a wide range of devices from numerous vendors, including Apache (ActiveMQ, Hadoop, Log4j, RocketMQ), Cacti, Cisco, D-Link, DrayTek, FreePBX, GitLab, Gocloud, Huawei, Jenkins, Linksys, Metabase, NETGEAR, Realtek, Seagate, SonicWall, Tenda, TOTOLINK, TP-Link, ZTE, and Zyxel. CatDDoS, first emerged in August 2023, is a Mirai botnet variant capable of performing DDoS attacks using multiple methods such as UDP and TCP. The malware is named due to cat-related references in its command-and-control (C2) domains like “catddos.pirate” and “password_meow.”
The majority of CatDDoS’s attack targets are located in China, followed by the U.S., Japan, Singapore, France, Canada, the U.K., Bulgaria, Germany, the Netherlands, and India. Besides using the ChaCha20 algorithm to encrypt communications with the C2 server, CatDDoS employs an OpenNIC domain for its C2 to evade detection, a technique used by other Mirai-based botnets like Fodcha. Despite the original authors shutting down operations in December 2023 and selling the source code, new variants like RebirthLTD, Komaru, and Cecilio Network have emerged, managed by different groups but with little variation in their code and methods.
The disclosure coincides with details of a new pulsing denial-of-service (PDoS) attack technique dubbed DNSBomb (CVE-2024-33655), exploiting DNS queries and responses for a 20,000x amplification factor. This attack uses legitimate DNS features to create timed floods of responses, overwhelming target systems. The findings, presented at the 45th IEEE Symposium on Security and Privacy, revealed that while some DNS software is vulnerable, the Internet Systems Consortium’s BIND software suite has existing mitigations to address the risks posed by DNSBomb.
