Summary:
The Russian hacktivist group NoName057 has been conducting DDoS attacks since March 2022, targeting entities with anti-Russian sentiments. In November 2024, they collaborated with other pro-Russian groups to attack South Korean government websites in response to political remarks regarding Ukraine. Utilizing automated DDoS bots like DDoSia, they incentivize participation through cryptocurrency rewards, aiming to disrupt services and exert psychological pressure during military conflicts.
Keypoints:
- NoName057 has been active since March 2022, focusing on DDoS attacks against anti-Russian targets.
- In November 2024, they attacked South Korean government websites in response to comments on weapon supplies to Ukraine.
- They use automated DDoS bots like DDoSia to facilitate attacks and encourage user participation.
- Participants are rewarded with cryptocurrency for successful attacks.
- The group communicates and promotes their activities via a popular Telegram channel.
- DDoSia requires a “client_id.txt” file for authentication and connects to a constantly changing C&C server.
- Commands received from the C&C server include http, http2, tcp, and nginx_loris.
- DDoSia is developed in Go and has previously been developed in Python, which supported TCP SYN Flood techniques.
- The C&C server uses random User-Agent strings to evade detection during attacks.
MITRE Techniques
- Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
- Distributed Denial of Service (DDoS) (T1498): Conducts DDoS attacks to disrupt services and cause chaos.
IoC:
- [IP] 45.152.115.205
- [IP] 62.60.237.103
- [IP] 77.91.100.134
- [IP] 94.131.97.202
- [File Hash] 0d5cac778ec1f9a1471e0d78742d3fe9
- [File Hash] 161b8fcfc27636c51890a7c84644844a
- [File Hash] 1cd8d1073dc4e1f5c7265e6658f32544
- [File Hash] 2add4181b214dc516e7f7a6c74699457
- [File Hash] 52fb14f74ef5d0dcf89285a60d5c5a73
Full Research: https://asec.ahnlab.com/en/84531/