Back in April of this year, 360 Netlab researchers reported on a new DDoS botnet with more than 10,000 daily active bots and over 100 DDoS victims per day, dubbed Fodcha due to its command and control (C2) domain name folded.in and its use of the ChaCha encryption algorithm.
In response to 360 Netlab’s report, the author appeared to concede defeat by leaving the phrase “Netlab pls leave me alone I surrender” in a sample.
It’s now clear that the surrender was fake – according to a new 360 Netlab report, an updated, more powerful version has been released.
Fodcha version 2 has more than 60,000 daily active bots and over 40 C2 domains and can generate more than 1 Tbps of traffic. The number of daily attacks has also surged – its peak thus far was on October 11, with 1,396 targets in a single day.
See also: How to Stop DDoS Attacks: Prevention & Response
Fodcha Attacks Spread
The new version adds redundancy, using both XXTEA and ChaCha20 encryption to protect sensitive information and avoid detection, and leveraging a combination of primary and backup C2 domains.
“This redundancy mechanism can not only prevent C2 from being taken over, but also has good robustness and can maintain the stability of its master network,” the researchers wrote (via Google Translate).
While the attacks primarily target victims within China, they’re spreading worldwide. According to the report, 78.2 percent of targets are in China, followed by 10 percent in the U.S., 2.1 percent in Singapore, 1.6 percent in Japan, 1.4 percent in Russia, 1 percent in France, and 1 percent in Germany.
On September 21, the researchers said, a leading cloud service provider reached out to them about an attack with traffic exceeding 1Tbps. They concluded that the attacker was Fodcha.
See the Top DDoS Protection Service Providers
Demanding Ransom in Monero
Notably, the code now includes a demand to “send 10 xmr to [address] or we will shut down your business.” As the 360 Netlab researchers put it, the operators behind Fodcha seem to be pursuing “the business model of extortion.”
If so, their choice of XMR (Monero) follows a trend. In a recent report on cyber extortion, Trend Micro researchers wrote that while address-linking techniques can be used to trace Bitcoin addresses back to their owners, cybercriminals “have started to shift to anonymity-based coins such as Monero, which are much harder to trace.”
“Several dark web marketplaces now use Monero exclusively,” Trend Micro noted.