Pro-Russian DDoS (Distributed Denial of Service) crowdsourcing project, ‘DDoSia’, has seen massive growth of 2,400% in less than a year, with over ten thousand people helping to carry out attacks against Western organizations .

THE project has been launched by a pro-Russian hacktivist group known as “NoName057(16)” last summer, quickly reaching 400 active members and 13,000 users on its Telegram channel.

In a new report released today, According to Sekoia analysts that the DDoSia platform has grown significantly over the year, reaching 10,000 active members contributing to the firepower of the project’s DDoS attacks and 45,000 subscribers on its main Telegram channel (there are seven in total) .

Apart from growing the size of the community, which also results in more disruptive attacks, DDoSia has also improved its toolset and introduced binaries for all major operating system platforms, increasing its reach. to a wider audience.

Cross-platform payloads

The registration of new users on the platform is fully automated thanks to a Telegram bot, which only supported Russian at the time.

New members begin by providing a TON (Telegram Open Network) wallet address to receive the cryptocurrency, to which the bot responds by generating a unique client ID and helper text file.

Then, new members receive a ZIP archive containing the attack tool. As of April 19, 2023, the ZIP includes the following files:

• d_linux_amd64 – LSB 64-bit ELF executable, x86-64
• d_linux_arm – 32-bit LSB ELF, ARM executable
• d_mac_amd64 – 64-bit x86_64 Mach-O executable
• d_mac_arm64 – 64-bit arm64 Mach-O executable
• d_windows_amd64.exe – PE32+ (console) x86-64 executable for Microsoft Windows
• d_windows_arm64.exe – PE32+ (console) Aarch64 executable for Microsoft Windows

To run these payloads, the client ID text file must be placed in the same folder as the payloads to limit unauthorized execution by security analysts or other “intruders”.

The DDoSia client launches a command line prompt that lists the targets fetched by the project’s C2 server in encrypted form and allows members to contribute garbage queries to them.

Sekoia reverse-engineered the 64-bit Windows executable and discovered that it was a Go binary, using AES-GCM encryption algorithms to communicate with the C2.

The C2 sends the target ID, host IP address, request type, port, and other attack parameters in encrypted form to the DDoSia client, which is locally decrypted.

DDoSia targets

Sekoia collected data regarding certain targets sent by the DDoSia C2 between May 8 and June 26, 2023, and found that those targeted were mainly Lithuanian, Ukrainian and Polish, accounting for 39% of the project’s total activity.

This focus of attacks is related to these countries’ public statements against Russia, but in general the targets of NoName057(16) appear to be NATO countries and Ukraine.

During the mentioned period, DDoSia targeted a total of 486 different websites, and those receiving the most malicious traffic were:

• zno.testportal.com.ua – Ukrainian education site
• e-journal.iea.gov.ua – Ukrainian government electronic journal
• e-schools.info – Ukrainian education support platform
• portofhanko.fi – Website of the Finnish Port of Hanko
• credit-agricole.com – Site of the major French bank Crédit Agricole
• urok-ua.com – Ukrainian education site
• groupebpce.com – Website of a major French banking entity Groupe BPCE

NoName057(16) targeted educational platforms in May and early June that could disrupt ongoing exams.

It should also be noted that DDoSia set two Wagner sites as targets on June 24, 2023, the day the private paramilitary group attempted an offensive against the Russian state.

Additionally, although DDoSia typically sets an average of 15 daily targets, on June 24 it focused all of its firepower on Wagner’s sites, treating this case as urgent.

In conclusion, the DDoSia project continues to grow and has reached a large enough size to cause significant problems for its targets.