Malware
Dosia
aka DDOSIA
Infrastructure and programs used for, as its name suggests, DDoSing.
Dosia, also known as DDOSIA, is a Windows malware family operated by NoName057(16).
Background
The infrastructure and software employed, as the name implies, for DDoS operations. Originally implemented in Python, it is now written in Go. Clients:
- Are written in Go. (Used to be written in Python.)
- Do not seem to differ significantly across OS deployments. (Confirmed on Windows, MacOS, Linux, Android)
- Seem to be partly run by NoName themselves.
- Partly also run voluntarily, recruited via dedicated Telegram channels. Participants are rewarded with cryptocurrency. Prints a suggestion to use a VPN for Russia-based launches. (This yields IP-based blocking as rather ineffective, consider behavioral analysis instead.)
Configuration:
- Rotates near-daily. Can be browsed on https://witha.name/ (also reachable via http://withanamemwesdvodfhthjq25a5a3uas24cpgoa7qm6gchcerzpis6qd.onion/).
- Is sent encrypted between C2 and Client.
- Specifies target hostname, subpath, vector protocols, methods, ports, whether SSL is used, headers for HTTP, request bodies.
- Any given config property can be randomly generated with per-use constraints.
- Is provided by a multi-level hierarchy of C2 servers.
Source: Malpedia (Fraunhofer FKIE).