Nitol (DDoS Botnet) – Malware

Overview

Nitol is a sophisticated and enduring piece of malware known for its capabilities as a distributed denial-of-service (DDoS) bot. Emerging in the cyber threat landscape as a versatile tool for orchestrating large-scale DDoS attacks, Nitol has demonstrated a persistent presence in various cybercriminal activities since its inception. This malware is primarily designed to overwhelm targeted systems with an influx of malicious traffic, thereby disrupting normal operations and causing significant service outages. What distinguishes Nitol from other DDoS bots is its advanced functionality and adaptability. Beyond its primary role in executing DDoS attacks, Nitol exhibits a range of features designed to enhance its stealth and persistence. It is equipped with mechanisms to detect virtual and sandbox environments, preventing analysis and detection by security researchers. Additionally, Nitol is capable of self-replication and modification, ensuring it can evade traditional security measures and maintain a foothold on compromised systems.

Targets

Chinese citizens and corporations that bought systems that contained a counterfeit version of windows installed that had the malware embedded into it during the manufacturing process.

How they operate

Nitol’s core functionality revolves around its DDoS (Distributed Denial-of-Service) capabilities. As a DDoS bot, Nitol is designed to overwhelm target systems with excessive traffic, effectively rendering them inaccessible to legitimate users. The malware achieves this through a variety of attack vectors, including TCP SYN Floods, UDP Floods, and HTTP Floods. These attack methods exploit different aspects of network protocols to generate a flood of traffic that can cripple the target’s network infrastructure. The malware’s ability to execute these attacks is governed by a set of configurable settings that allow threat actors to tailor their assault according to the victim’s network characteristics. One of the notable features of Nitol is its method of persistence and evasion. Upon execution, Nitol performs a series of actions to establish a foothold on the infected system. It copies itself to a location within the %APPDATA% directory, disguising its presence with a random six-character filename. Additionally, Nitol modifies the Windows Registry to ensure it runs on startup, thereby maintaining persistence even after system reboots. The malware is also equipped with anti-analysis mechanisms, such as checks for virtual and sandbox environments. By examining system parameters and loaded DLLs, Nitol can detect whether it is being executed in a controlled environment and take measures to obfuscate its behavior or terminate itself if necessary. The command and control (C&C) architecture of Nitol is another critical aspect of its operation. The malware communicates with C&C servers to receive instructions and transmit stolen data. This communication is secured through encrypted channels, making it challenging for defenders to intercept and analyze the data flow. Nitol’s C&C functionality allows it to execute a range of commands, including initiating DDoS attacks, downloading additional payloads, and updating its own components. This versatility makes Nitol a potent tool for threat actors, enabling them to adapt their tactics and payloads based on the evolving security landscape. In recent developments, Nitol has been observed in conjunction with other malware strains, such as Amadey. Amadey, a downloader with capabilities for credential theft and additional malware installation, has been deployed via Nitol in various attack scenarios. This symbiotic relationship between Nitol and Amadey highlights the malware’s role as a delivery mechanism for more sophisticated threats. By leveraging Nitol’s DDoS capabilities to distract and overwhelm defenses, threat actors can use Amadey to further infiltrate and compromise targeted systems. Nitol’s impact extends beyond its immediate DDoS capabilities. The malware’s ability to serve as a delivery platform for additional malicious payloads underscores its role in broader cyberattack strategies. Organizations and individuals targeted by Nitol face not only the immediate threat of service disruption but also the long-term risks associated with additional malware infections. The use of Nitol in conjunction with other threats illustrates a growing trend in cybercrime where multi-faceted attacks are employed to maximize impact and evade detection.

MITRE Tactics and Techniques

Initial Access (TA0001) Execution (TA0002) Persistence (TA0003) Command and Control (TA0011) Exfiltration (TA0010) Impact (TA0040)

Impact / Significant Attacks

Nitol and Amadey Integration: Nitol has been used to install Amadey Bot, which is a downloader capable of credential theft and further malware installation. This combination has been used in various attacks to deploy additional malicious payloads, including ransomware like LockBit 3.0. 2021 Korean Forum Attack: In 2021, Nitol was distributed via a Korean forum archive, which led to widespread infections among Korean users. This incident showcased Nitol’s capability to be disseminated through compromised or maliciously crafted software distributions. Recent Attacks Using Amadey: In 2023, Nitol was observed deploying Amadey, which then facilitated the installation of other malware strains. This series of attacks highlights how Nitol has been utilized as a precursor to more complex and damaging cyber operations. DDoS Attacks on Korean Targets: Nitol has been involved in attacks that utilized its DDoS capabilities to target various entities, including Korean organizations. These attacks often involved using Nitol to generate large volumes of traffic to disrupt services.

References

• Nitol DDoS Malware Installing Amadey Bot
• KrebsOnSecurity
• Nitol botnet