Researchers at Akamai’s Security Intelligence unit find a botnet specimen that reveals how successful DDoS, spam and other cyberattacks can be done with little finesse, knowledge or savvy.
Botnets, especially botnets-for-hire, are lowering the bar to technology access for those seeking to launch distributed denial of service — or DDoS — attacks, run crypto mining operations, create spamming exploits and other nefarious applications. Botnets are also getting easier to build and deploy because, much like legitimate software development, malicious botnets can be created using existing codebases.
One example of how little technical sophistication is required is evinced by a botnet dubbed Dark Frost by researchers at Akamai web services. In spite of its use of cobbled-together code from older botnets, Dark Frost has roped in over 400 compromised devices for exploits.
According to Allen West, a security researcher on Akamai’s Security Intelligence Response team, the financially motivated actor is targeting gaming platforms.
SEE: Akamai looks at fake sites, API vulnerabilities (TechRepublic)
“It is crucial that the security community starts acknowledging low-level actors such as these in their infancies before they grow into major threats,” West wrote in a blog about the attack, adding that Dark Frost isn’t hard to track because of their attention seeking.
According to research by West and other researchers looking at social media and Reddit, the actor behind the Dark Frost botnet is likely in their early 20s who claims to have been a developer for a couple of years. They say this person is probably based in the U.S. and isn’t likely linked to a state actor. While probably a single individual, this actor likely interacts with a small group to share code, West and the researchers say.
Gaming platforms are target for hackers seeking attention
According to Akamai researchers, the Dark Frost botnet has primarily targeted various sects of the gaming industry including companies, game server hosting providers, online streamers and other members of the gaming community.
West noted that games are an easy target, and there is a big audience. The rise in modders (people who modify commercial games to make them more compelling and relevant) on custom servers, make them targets because they have few defenses and aren’t typically paying for large-scale protection, he said.
SEE: How Google is fighting these DDoS threats (TechRepublic)
“They are starting to address [cyber threats] in the custom modding industry, and there are a couple of open-source free options for security, but these actors aren’t targeting ones they think have good protection,” West said to TechRepublic
The Dark Frost actor was focusing on selling the tool as DDoS-for-hire, noted Akamai, which also said the same actor had been selling it as a spamming tool.
“This is not their first of this kind,” said West, who noted that the Dark Frost actor was selling it on Discord. “He was taking orders there, and even posting screenshots of what they said was their bank account.”
To make Dark Frost, just add codebases and mix
The Dark Frost botnet uses code from the infamous Mirai botnet. West said while there are much bigger botnets out there, the Dark Frost botnet shows what you can do with just 400 compromised devices.
“The author of Mirai put out the source code for everyone to see, and I think that it started and encouraged the trend of other malware authors doing the same, or of security researchers publishing source code to get a bit of credibility,” said West. “Some people think DDoS is a thing of the past, but it is still causing damage.”
According to Akamai, the botnet:
- Is modeled after Gafgyt, Qbot, Mirai, and other malware strains and has expanded to encompass hundreds of compromised devices.
- Has an attack potential of approximately 629.28 Gbps with UDP flood attacks.
- Is emblematic of how, with source code from previously successful malware strains and AI code generation, someone with minimal knowledge can launch botnets and malware.
Lowering the botnet bar
West told TechRepublic that the codebases for botnets and exploits known to be effective are an easy get.
“On public repositories it’s easy to find malware that has worked effectively in the past and string together something with very minimal effort,” he said. “Dark Frost is the perfect example; and how brazenly they talk about it just adds to the picture of someone who doesn’t really get what they are doing or the implications of their actions.”
He said the actor behind Dark Frost essentially announced that they were selling illegal services.
“It is fame seeking money seeking fame. If we look at all the malware that comes in, this one stuck because he literally signed it, and I found eight different social media platforms talking about these attacks,” West said.
The main takeaway, said West, is that, with minimal effort, the author of Dark Frost has been successful at causing damage and is aiming to organize malefactors to scale up the exploit’s capabilities.
“Security companies and just companies in general should start recognizing these threats in their infancy in order to stop them down the road when it’s an even bigger problem,” he said.