CyberWire Daily - A new botnet takes a frosty bite out of the gaming industry. [Research Saturday]
Episode Date: June 10, 2023Our guest, Allen West from Akamai's SIRT team, joins Dave to discuss their research on "The Dark Frost Enigma: An Unexpectedly Prevalent Botnet Author Profile." Akamai found this new botnet was targe...ting the gaming industry, modeled after Qbot, Mirai, and other malware strains. The botnet has expanded to encompass hundreds of compromised devices. The research states "through reverse engineering and patching the malware binary, our analysis determined the botnet's attack potential at approximately 629.28 Gbps with its UDP flood attacks." Akamai researchers do a deep dive into the motives behind the attacks, the effectiveness of the attack, and how the law has been handling similar cases. The research can be found here: The Dark Frost Enigma: An Unexpectedly Prevalent Botnet Author Profile Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems,
and protecting ourselves in our rapidly evolving cyberspace.
Thanks for joining us.
The original name of the file was just Roof.
It had no other information about it.
So I pulled that down and started looking at it
and immediately found out that there was sort of like just a calling card within the binary itself.
That's Alan West. He's a researcher with Akamai's security intelligence response team.
The research we're discussing today is titled The Dark Frost Enigma, an unexpectedly prevalent botnet author profile.
And I could immediately tell that it was some sort of DDoS.
We had originally thought it was some sort of variant of GathKit.
So then I just looked up the name within the file, and it led to a bunch of different social medias and proofs of the attacks.
We eventually found a GitHub.
He had his Twitter, his Instagram, YouTube, streaming services.
He even had urban dictionary posts.
And just like he had rap music out there, it was crazy. So I just started pulling down as much as I could.
And it started to paint a picture of somebody who just felt untouchable and was
actually profiting from this service, despite the lack of originality that I eventually found
within the code. So before we dig into some of the details of our alleged perpetrator here,
can you just give us a quick overview as to what exactly folks are offering botnets to do out there?
Sure.
Yeah, so DDoS for Hire is the focus of this guy's sort of scheme.
In the past, he had also done some spamming services, just simple text spamming.
So in this particular case, he was doing DDoS for hire,
so people would essentially give him targets
of either
companies or custom servers
for games that
they were, for some reason, angry at
or it was a competitor.
They wanted to take those offline for various
purposes, and he would
train the botnets on them.
And then there's obviously other purposes for
botnets that were outside of this one. So this guy didn't do any sort of crypto mining or various
purposes like that. But yeah, his main stick was DDoS for hire. I have to say, I'm going to quote
from the research that you published here because I love the deadpan nature of this sentence.
You write,
The fascinating story of the Dark Frost botnet introduces us to a perplexing threat actor whose success rate and originality level do not align.
That's a great introduction to this character.
Yeah, thank you.
That was sort of the line that inspired the rest of it, essentially.
It was just like, we were all sitting there like, how is this guy so successful?
He has over 400 nodes in his botnet, and he's taking down all these different services online.
We rarely get this good of a look into the sort of operations because he just offered it all up.
And when we combed through the code,
there's like not that much special about it.
And we eventually found all the different kinds of malwares
that he ripped off.
But yeah, it was just, it was very perplexing
that you could be so successful with such little effort
and obviously like a lack of knowledge
of the ability to get in trouble for it even.
Right. Walk us through your journey here as you go through the discovery process for figuring out
who we're dealing with here. Can you share that story with us?
Sure. Yeah. Well, it honestly was not difficult at all to figure out who it was. We typically run
what's called strings
on all the binaries we get
just so we can see some human-readable text within it.
And when I go through,
I look for interesting strings within it
so that I can sort of do my due diligence
to see if somebody else has already published on it.
And so obviously one of the strings that popped out
was this guy's calling card.
We're not trying to directly attribute him, so I can't really say it.
But I just looked that up and I started finding social media accounts.
And then I sort of, because of that, I went to Maltigo and I started using that and found a ton more stuff.
And yeah, it didn't seem like there was much talk about this guy in particular despite there being
multiple samples that we've had over the past like year or two so just wanted to look into it a bit
more and learn more about this guy and what did you learn i learned that he's a young 20s, most likely from America, guy who claims to have
a couple years of experience
in networking.
I learned that
he has a couple different
friends within the hacker world, but
he's been somewhat unsuccessful
in starting his own
hacking group around it.
He originally was just doing this for
the glamour
and the fame of it, trying to do
streaming services and stuff like that,
trying to get a little bit of attention to his Twitter,
stuff like that. But then he started
offering it up for the money value
of it, and it seems to be a little bit
successful for him, but he hasn't
really been able to get anybody else
to join him in this effort so far.
Does it seem though he has
many customers? It seems like he has a fair amount of customers. He published a couple pictures of
his bank account, which could be completely fake. So I'm really just working with the information
that he's given. He's certainly done a lot of attacks. I just don't know which ones are just him wanting
to do it. Like some of the original ones, you can definitely tell where that, and then some of the
later ones, I'm not so sure if he was paid for it or not. And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack
surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security. Zscaler Zero Trust plus AI stops attackers by hiding your
attack surface, making apps and IPs invisible, eliminating lateral movement, connecting users
only to specific apps, not the entire network, continuously verifying every request based
on identity and context, simplifying security management with AI-powered automation, and
detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
What are some of the technical details of the botnet that he's cobbled together here?
Yeah, so he, I believe it was written in C, and he had a ton of different attacks within it.
There was a couple Layer 7 and Layer 4 attacks.
There was a couple that stood out to us as strange.
One was called ZGO flood, which through our testing didn't seem to be
working, unfortunately. But yeah, there was a lot of tests offered. We chose to benchmark the UDP
one because it was the most straightforward and reliably worked. And for that one in particular,
he just, he didn't even pad it with like random bits or anything. He just put the string U over
and over depending on the size that
you put into it. That eventually actually slowed down the output because he had to generate all
those U's for every packet that he sent out. So not very mind-bending things. The only thing that
really tripped us up in the investigation was that there was this part of it that was when we were trying to
run it and like connect to our own c2 after we patched what was the c2 ip address within the
code back to one that we owned we were trying to send commands to ourselves basically to attack
ourselves and uh the one tricky thing was that when we connected to it it would do all the checks
it would report back to the c2 what kind of device we had, what kind of malware it was.
But then it would theoretically just bail out.
It would kick back to the terminal and say, I couldn't find a valid watchdog driver bailing out.
And so I got kind of stuck on that for a day or two.
And I was just like, why is this happening?
I installed watchdog drivers. I for a day or two. And I was just like, why is this happening? Like I installed watchdog drivers,
like I tried a bunch of different things.
Then eventually we just sent the word ping to it
through the open Netcat listening.
And it allowed us to send commands.
So it spun up a process in the background
by telling us that it had bailed.
And literally there was nothing
to figure out.
It was just
start sending commands.
So,
not dealing with
a high level
of sophistication here,
is it fair to say?
Exactly.
Yeah.
We didn't suspect
there was much
like high level
of sophistication.
I think the only part
that he really wrote himself
was the C2
and it's actually
publicly offered on his GitHub.
The story was still
interesting despite him being
not that sophisticated because
it did show you don't need to be that
sophisticated to have a bunch of success here.
And it sort of shines
light on the fact that security companies
and just companies in general need to
sort of reframe
who they are protecting themselves against.
It's really easy to be like, oh, I'm not a
target of a
nation-state actor. It's like, well, this guy
is clearly not a nation-state actor, but he
can still do significant damage.
So, yeah.
And in terms of the code that he's using here,
is this stuff borrowed from previous campaigns generally?
Yeah, so we found them to be mostly BashLite offshoots.
And originally it came up as Gafget,
just mainly because of a couple strings that matched.
But I had found a couple samples online of QBot.
It was like a DDoS-specific QBot.
And when I'm talking about QBot,
I'm talking about not the Windows Trojan.
I'm talking about the Bash Lite descendant,
which is kind of confusing.
But I had found a couple online,
especially this one called Mortem.
It was Mortem QBot, which is apparently a ripoff of something called Batman.
So it's all sort of convoluted.
But that's what I had thought, because I saw a lot of similarities in the code
and what I was seeing in the assembly.
And then it didn't publish on that, but then later we found his GitHub,
and it literally had that exact malware strain,
along with five others in one of his repositories.
So, yeah, it's a bunch of QBot conglomerates with, I think, some ties to Gafget as well.
Does this person's bravado stand out?
I mean, it strikes me that a lot of folks who are in this business do what they can to kind of fly over the radar,
and this person is doing the opposite.
Yeah, definitely.
I think, especially with like younger people that are getting into the scene,
they don't sort of understand the implications of what they're doing.
You know, some of them don't even care if they get caught.
And then others, you know, like you said, try to hide what they're doing.
This was a case that took it a step further because he was so confident in the fact that he used a fake name and allegedly a fake social security number to register all this stuff that he just made as many accounts as he could to try to get famous.
And you can't be a criminal and be famous.
Notorious, perhaps.
Yeah, exactly.
So you mentioned that we think that this person is from the United States.
I mean, that's another interesting element to me because typically I think of a lot of these operators are in a part of the world where they're out of reach of Western law enforcement. And I would imagine that this person could find themselves in peril
just because they're not in some country that doesn't have an extradition treaty with the U.S.
Yeah, exactly.
There's a lot of baffling parts about it like that.
It's just like, what is he thinking?
Why would you make it this easy?
But yet, he's still active.
So, you know, there's something to be said about that as well.
What are your recommendations?
I mean, you mentioned that people need to be aware
that these sorts of operators are out there.
The types of things that this person is up to,
how difficult is it to respond to this sort of thing?
Right.
So I think if you have DDoS protection such as Akamai,
you're clearly safe.
But I think a lot of people don't put a sort of emphasis on that
because he's not doing anything that is new.
He's not really amplifying his attacks
other than just making
really big packets.
So standard DDoS
protection would protect against this.
And it's
not a priority for people with
just small gaming servers
or just websites
they run for a small business, things like that.
So
it needs to be one of those that we talk about.
DDoS is not dead.
It's really on the rise, actually.
And it can cause a lot of damage and it's kind of a booming industry.
So you just got to protect yourself in the ways that are known.
For you and your colleagues who sort of have an eye on a person like this, is this the kind of thing you keep an eye on and wonder,
is this person going to go dark sometime?
Are we going to see a press release from the FBI?
So I definitely, I'm going to be looking at him moving forward,
just out of sheer interest.
He hasn't posted anything about this.
And then we do, for some of these actors,
we track their specific binaries
within a background work of our honeypots
without revealing too much information about that.
So we'll be able to see the new stuff he puts out.
Occasionally we track C2s.
I'm not sure if we're doing it for this one.
We'll be able to look for new activity and
obviously monitor his social medias because I'm sure he'll tell us.
But yeah, as far as law enforcement goes, that's not something I know at this time.
Our thanks to Alan West from Akamai for joining us. The research is titled The Dark Frost Enigma, an unexpectedly prevalent botnet author profile.
We'll have a link in the show notes.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks,
and connected lives. Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
The CyberWire Research Saturday podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Ervin and senior
producer Jennifer Iben. Our mixer is Elliot Peltzman. Our executive editor is Peter Kilby,
and I'm Dave Bittner. Thanks for listening.