A new botnet takes a frosty bite out of the gaming industry.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Research Saturday." I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems and protecting ourselves in a rapidly-evolving cyberspace. Thanks for joining us.
Allen West: The original name in the file was just roof. I'd had no other information about it. So I pulled that down and started looking at it and immediately found out that there was sort of like a just a calling card within the binary, itself.
Dave Bittner: That's Allen West. He's a researcher with Akamai's Security Intelligence Response Team. The research we're discussing today is titled "The Dark Frost Enigma: An Unexpectedly Prevalent Botnet Author Profile."
Allen West: And I could immediately tell that it was some sort of DDoS. We had originally thought it was some sort of variant of Gafgyt. So then I just looked up the name within the file and it led to a bunch of different social medias and proofs of the attacks. We eventually found a GitHub. We got his Twitter, his Instagram, YouTube, streaming services. He even had like Urban Dictionary posts and just like he had rap music out there. It was crazy. So I just started pulling down as much as I could and it started to paint a picture of somebody who just felt untouchable. And was actually profiting from this service despite the lack of originality that I eventually found within the code, so.
Dave Bittner: So before we dig in to some of the details of our alleged perpetrator here, can you just give us a quick overview as to, you know, what exactly folks are offering botnets to do out there?
Allen West: Sure, yeah. So, DDoS for hire is the focus of this guy's sort of scheme. He, in the past, he had also done some, you know, spamming services, just simple like text spamming. But so far in this particular case, he was doing DDoS for hire. So people would essentially give him targets of, you know, either companies or customer servers for games that they were some- for some reason, angry at or is like a competitor. They wanted to take those offline for various purposes and, you know, he would train the botnets on them. And then, you know, there's obviously other purposes for botnets that were outside of this one. So like this guy didn't do any sort of like cryptomining or, you know, various purposes like that. But, yeah, his main stick was DDoS for hire.
Dave Bittner: I have to say, I'm gonna quote from the research that you published here because I love the deadpan nature of this sentence. It's you write, "The fascinating story of the Dark Frost botnet introduces us to a perplexing threat actor whose success rate and originality level do not align." That's a great introduction to this character.
Allen West: Yeah, thank you. That was sort of the line that inspired the rest of it, essentially. It was just like we're all sitting there like how is this guy so successful? This- like he has over 400 nodes in his botnet and he's taking down all these different services online. We rarely get this good of a look into the sort of operations 'cause he just offered it all up. And when we combed through the code, there's like not that much special about it and we eventually found all the different kinds of knowledge that he ripped off. But, yeah, it was just it was very perplexing that, you know, he could be so successful with such little effort and obviously like a lack of knowledge of the ability to get in trouble for it, even.
Dave Bittner: Right. Walk us through your journey here as you go through the discovery process for figuring out who we're dealing with here. Can you share that story with us?
Allen West: Sure, yeah. Well, it honestly was not difficult at all to figure out who it was. We typically run what's called strings on all the binaries we get just so we can see some like human readable text within it. And when I go through, I look for interesting strings within it so that I can sort of do my due diligence to see if somebody else has already published on it. And so obviously one of the strings that popped out was this guy's calling card. We're not trying to directly attribute him, so I can't really say it. But I just looked that up and I started finding social media accounts. And then I sort of because of that, I went to Maltego, and I started using that, and found a ton more stuff. And, yeah, it didn't seem like there was much talk about this guy, in particular, despite there being multiple samples that we've had over the past like year or two. So just wanted to look into it a bit more and learn more about this guy.
Dave Bittner: And what did you learn?
Allen West: I learned that he's a young 20s, most likely from America, guy, who claims to have a couple of years of experience in like networking. And I learned that he has a couple different, you know, friends within the hacker world but he's been like somewhat unsuccessful in starting his own hacking group around it. He originally was just doing this for sort of the glamor and the fame of it, trying to do like streaming services and stuff like that, trying to get a little bit of attention to his Twitter, stuff like that. But then he started offering it up for the money value of it and it seems to be a little bit successful for him, but he hasn't really been able to get anybody else to join him in this effort so far.
Dave Bittner: Does it seem, though, he has many customers?
Allen West: It seems like he has a fair amount of customers. He published a couple of pictures of his bank account, which, you know, completely fake. So I'm really just working with the information that he's given. He's certainly done a lot of attacks. I just don't know which ones are just him wanting to do it. Like some of the original ones, you can definitely tell were that. And then some of the later ones, I'm not so sure if he was paid for it or not.
[ Music ]
Dave Bittner: What are some of the technical details of the botnet that he's cobbled together here?
Allen West: Yeah, so he- I believe it was written in C and he had a ton of different attacks within it. There was a couple of Layer 7 and Layer 4 attacks. There was a couple that stood out to us as strange. One was called zgoflood, which through our testing didn't seem to be working, unfortunately. But, yeah, there was a lot of tests offered. We chose to benchmark the UDP one because it was the most straightforward and reliably worked. And for that one in particular, he just he didn't even pad it with like random bits or anything. He just put the stream U over and over, depending on the size that you put into it. That eventually actually slowed down the output because he had to generate all those U's for every packet that he sent out. And, yeah, so it- not very mind-bending things. The only thing that really tripped us up in investigation was that there was this part of it that was when we were trying to run it. And like connect to our own C2 after we patched what was the C2 IP address within the code back to one that we owned, we were trying to send commands to ourself, basically, to attack ourselves. And the one tricky thing was that when we connected to it, it would do all the checks. It would report back to the C2 what kind of device we had, what kind of sample, what kind of malware it was. But then it would theoretically just bail out. It would, you know, kick back to the terminal and say, "Couldn't find a valid watchdog driver. Bailing out." And so I got kind of stuck on that for a day or two and I was just like why is this happening. Like I installed watchdog drivers. Like I tried a bunch of different things. Then eventually, we just sent the word ping to it through the open Netcat listening and it allowed us to send commands. So it was it spun up a process in the background by telling us that it had bailed and literally there was nothing to figure out. It was just start sending commands.
Dave Bittner: So not dealing with a high level of sophistication here, is it fair to say?
Allen West: Exactly, yeah. We didn't suspect there was much like high level of sophistication. I think the only part that he really wrote himself was the C2 and it's actually publically offered on his GitHub. So, you know, but yeah, the story was still interesting despite him being not that sophisticated because it did show like you don't need to be that sophisticated to have a bunch of success here. And it sort of shines light on the fact that security companies and just companies in general need to like sort of reframe who they are protecting themselves against. It's really easy to be like, "Oh, I'm not a target of, you know, a nation state actor." And it's like, well, this guy is clearly not a nation state actor but he can still do significant damage. So, yeah.
Dave Bittner: Mm-hmm. And in terms of the code that he's using here, this is stuff borrowed from previous campaigns, generally?
Allen West: Yeah, so we found them to be mostly BASHLITE offshoots, and originally it came up as Gafgyt just mainly because of a couple of strings that matched. But I had found a couple samples online of Qbot. It was like a DDoS-specific Qbot, and when I'm talking about Qbot, I'm talking about not the Windows like Trojan. I'm talking about the BASHLITE descendant, which is, you know, kind of confusing. But I found a couple online, especially this one called Mortem. It was Mortem Qbot, which is apparently a rip off of something called Batman. So, you know, it's all sort of convoluted. But that's what I had thought because I saw a lot of similarities in the code and what I was seeing in the assembly. And then, you know, I didn't publish on that, but then later we found his GitHub and it literally had that exact malware strain along with five others in one of his repositories. So, yeah, it's a bunch of Qbot conglomerates with, I think, some ties to Gafgyt, as well.
Dave Bittner: Does this person's bravado stand out? I mean, it strikes me that a lot of folks who are in this business do what they can to kind of fly over the radar and this person is doing the opposite.
Allen West: Yeah, definitely. I think, especially with like younger people that are getting into this scene, they don't sort of understand the implications of what they're doing. You know, some of them don't even care if they get caught, and then others, you know, like you said, try to hide what they're doing. This was a case that took it like a step further because he was so confident in the fact that he used like a fake name and allegedly a fake Social Security number to register all this stuff. That he just made as many accounts as he could to try to get famous and you can't be a criminal and be famous.
Dave Bittner: And notorious, perhaps, right?
Allen West: Yeah, exactly.
Dave Bittner: So you mentioned that we think that this person is from the United States. I mean, that's another interesting element to me. 'Cause typically, I think of a lot of these operators are in the part of the world where they're out of reach of Western law enforcement. And I would imagine that this person could find themselves in peril just because, you know, they're not in some country that doesn't have an extradition treaty with the US.
Allen West: Yeah, exactly. That's there's a lot of baffling parts about it like that where it's just like what is he thinking. Why would you make it this easy? But yet, he's still active, so, you know, that- there's something to be said about that, as well.
Dave Bittner: What are your recommendations? I mean, you mentioned that people need to be aware that these sorts of operators are out there. The types of things that this person is up to, how difficult it is- how difficult is it to respond to this sort of thing?
Allen West: Right, so I think if you have DDoS protection such as Akamai, you're clearly safe, but I think a lot of people don't put a sort of emphasis on that. Because he's not doing anything that is new. He's not really amplifying his attacks other than just making really big packets. So, you know, like standard DDoS protection would protect against this. And it's not a priority for people with just small gaming servers or just, you know, websites they run for a small business, things like that. So, you know, it needs to be one of those that we talk about. You know, DDoS is not dead. It's really on the rise, actually, and it can cause a lot of damage, and is kind of a booming industry. So you just gotta protect yourself in the ways that are known.
Dave Bittner: But for you and your colleagues who sort of have an eye on a person like this, is this the kind of thing you keep an eye on and wonder is this person gonna go dark sometime? Or, you know, are we gonna see a press release from the FBI?
Allen West: So I definitely I'm going to be looking at him moving forward just out of sheet interest.
Dave Bittner: Yeah.
Allen West: He hasn't posted anything about this. And then we do, for some of these actors, you know, we track their specific binaries within, you know, our background work of our honeypots, without revealing too much information about that. So we'll be able to see the new stuff he puts out, occasionally track C2s. I'm not sure if we're doing it for this one. We'll be able to look for new activity and obviously monitor his social medias 'cause I'm sure he'll tell us. But, yeah, as far as law enforcement goes, that's not something I know at this time.
Dave Bittner: Our thanks to Allen West from Akamai for joining us. The research is titled, "The Dark Frost Enigma: An Unexpectedly Prevalent Botnet Author Profile." We'll have a link in the show notes.
The CyberWire "Research Saturday" podcast is a production of N2K Networks. Proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin, and senior producer, Jennifer Eiben. Our mixer is Elliott Peltzman. Our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.