Russian Hackers “NoName057(16)” Planning Massive DDoS Attack

The Russia-Ukraine war has provoked several threat groups who were identified as “nationalist hactivists” that targeted most of the NATO member states with multiple attack vectors.

One of the most notable ones was the pro-Russian group NoName057(16), which gained a reputation due to Project DDoSia, which was used to conduct large-scale distributed denial-of-service (DDoS) attacks.

However, the threat group released a newer version of Project DDoSia in November 2023 without any prior announcements.

This new version includes additional processor compatibility and support for 32-bit and FreeBSD operating systems and several changes have been made to the software, C2 servers, and others.

With the ANY RUN malware sandbox, you can analyze malware files, networks, modules, and registry activity. It also lets you interact with the OS directly from the browser.  

Technical Analysis

According to reports shared with Cyber Security News, the new project DDoSia ZIP archive contains two folders, one named d_eu and the other d_ru, specified for users in different geographical locations.

Moreover, this new version’s users have also been advised to use a VPN if they are located inside Russia.

There are also speculations that the threat group is attributed to the Russian state but there is no evidence to prove the claim.

However, the new version also encrypted C2 server traffic between the user and the server.

Their top targeted sectors include Government, Banking, Transportation, Defense, Technology, Energy and other industries.

Project DDoSia – Shortcomings And Workarounds

Though the new version has several data transmission capabilities, the C2 servers were changed more frequently, stating that threat actors faced several challenges in running the DDoS operations and maintaining the stability of the C2 servers.

For every new configuration, the users of DDoSia must download and install the new version to establish a seamless DDoS attack against their targets.

On a side note, the new version also includes FAQs and training materials to educate users.

This FAQ has a second question, which states, “Does the provider see my actions or law enforcement agencies see my IP?” to which the answer replies as 

“If the computer is located on the territory of the Russian Federation, then even without using a VPN, it is doubtful that there will be any problems with the law since the software is designed for stress testing.

At least that’s what we think. If the computer is located outside the Russian Federation, it is strongly recommended to use a VPN to change the IP address. You can check the change in IP address, for example, on myip.com.

Monitoring the VPN in action is recommended to avoid being disabled or use a VPN with an Internet killswitch option.”

Victimology Analysis

The threat actors primarily targeted Ukraine for almost a quarter of the DDoSia attacks.

However, in January and February 2024, Finland and Italy were targeted and impacted, as Finland had presidential elections, and the Italian prime minister speculatively helped fund Ukraine.

Additionally, Japan-related entities were targeted at the end of February 2024 due to the 15.8 billion yen aid proposed at the Japan-Ukrainian Conference for post-war reconstruction.

The threat actors continuously target countries that help Ukraine. Furthermore, the indicators of compromise can be found in this GitHub project.

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are incredibly harmful, can wreak havoc, and damage your network.