New Version of Fodcha DDoS Botnet Adds Extortion

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Back in April of this year, 360 Netlab researchers reported on a new DDoS botnet with more than 10,000 daily active bots and over 100 DDoS victims per day, dubbed Fodcha due to its command and control (C2) domain name and its use of the ChaCha encryption algorithm.

In response to 360 Netlab’s report, the author appeared to concede defeat by leaving the phrase “Netlab pls leave me alone I surrender” in a sample.

It’s now clear that the surrender was fake – according to a new 360 Netlab report, an updated, more powerful version has been released.

Fodcha version 2 has more than 60,000 daily active bots and over 40 C2 domains and can generate more than 1 Tbps of traffic. The number of daily attacks has also surged – its peak thus far was on October 11, with 1,396 targets in a single day.

See also: How to Stop DDoS Attacks: Prevention & Response

Fodcha Attacks Spread

The new version adds redundancy, using both XXTEA and ChaCha20 encryption to protect sensitive information and avoid detection, and leveraging a combination of primary and backup C2 domains.

“This redundancy mechanism can not only prevent C2 from being taken over, but also has good robustness and can maintain the stability of its master network,” the researchers wrote (via Google Translate).

While the attacks primarily target victims within China, they’re spreading worldwide. According to the report, 78.2 percent of targets are in China, followed by 10 percent in the U.S., 2.1 percent in Singapore, 1.6 percent in Japan, 1.4 percent in Russia, 1 percent in France, and 1 percent in Germany.

On September 21, the researchers said, a leading cloud service provider reached out to them about an attack with traffic exceeding 1Tbps. They concluded that the attacker was Fodcha.

See the Top DDoS Protection Service Providers

Demanding Ransom in Monero

Notably, the code now includes a demand to “send 10 xmr to [address] or we will shut down your business.” As the 360 Netlab researchers put it, the operators behind Fodcha seem to be pursuing “the business model of extortion.”

If so, their choice of XMR (Monero) follows a trend. In a recent report on cyber extortion, Trend Micro researchers wrote that while address-linking techniques can be used to trace Bitcoin addresses back to their owners, cybercriminals “have started to shift to anonymity-based coins such as Monero, which are much harder to trace.”

“Several dark web marketplaces now use Monero exclusively,” Trend Micro noted.

Get the Free Cybersecurity Newsletter

Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Jeff Goldman Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

Top Cybersecurity Companies

Top 10 Cybersecurity Companies

See full list

Get the Free Newsletter!

Subscribe to Cybersecurity Insider for top news, trends & analysis