Skip links

Fodcha DDoS botnet reaches 1Tbps in power, injects ransoms in packets



A new version of the Fodcha DDoS botnet has emerged, featuring ransom demands injected into packets and new features to evade detection of its infrastructure.

360Netlab researchers discovered Fodcha in April 2022, and since then, it has been silently receiving development and upgrades, steadily improving and becoming a more potent threat.

According to a new report published by the same researchers, the latest Fodcha version 4 has grown to an unprecedented scale, with its developers taking measures to prevent analysis after Netlab’s last report.

The most notable improvement in this botnet version is the delivery of ransom demands directly within DDoS packets used against victims’ networks.

In addition, the botnet now uses encryption to establish communication with the C2 server, making it harder for security researchers to analyze the malware and potentially take down its infrastructure.

More DDoS power

As a DDoS operation, Fodcha had grown significantly since April, when it targeted an average of 100 victims daily. The average number of targets has increased by ten times, reaching 1,000 daily.

The botnet now relies on 42 C2 domains to operate 60,000 active bot nodes daily, generating up to 1Tbps of destructive traffic.

List of C2 addresses used by Fodcha (360Netlab)

According to Netlab, Fodcha reached a new peak on October 11, 2022, attacking 1,396 targets in a single day.

Some notable examples of confirmed attacks of Fodcha include:

A DDoS attack against a healthcare organization on June 7 and 8, 2022.
A DDoS attack against the communication infrastructure of a company in September 2022.
A 1Tbps DDoS attack against a well-known cloud service provider on September 21, 2022.

Most of Fodcha’s targets are located in China and the United States, but the botnet’s reach is already global, having infected systems in Europe, Australia, Japan, Russia, Brazil, and Canada.

Fodcha’s victim heatmap and activity volume diagram (360Netlab)

Embedding ransom demands

Netlab’s analysts believe Fodcha is making money by renting its firepower to other threat actors who wish to launch DDoS attacks. However, the latest version also includes extortion by demanding a Monero ransom to stop the attacks.

Based on DDoS packets deciphered by Netlab, Fodcha now demands the payment of 10 XMR (Monero) from victims, worth approximately $1,500.

These demands are embedded in the ‘Data’ portion of the botnet’s DDoS packets and warn that the attacks will continue unless a payment is made.

Fodcha’s ransom message (360Netlab)

However, as Monero is a privacy coin, it is much harder to trace. Therefore, it is not offered for sale by almost all US crypto exchanges due to the legal requirements to prevent money laundering or other illicit activity.

Therefore, while ransomware gangs and other threat actors commonly request XMR as a payment option, almost all companies choose to pay in bitcoin, which will likely be a similar situation with DDoS attacks.

Adblock test (Why?)