Threat actors behind the CatDDoS malware botnet have exploited over 80 known security vulnerabilities in various software systems over the past three months to compromise vulnerable devices and integrate them into a botnet, which has been used to conduct distributed denial-of-service (DDoS) attacks on a global scale.
According to the QiAnXin XLab team, CatDDoS-related gangs' samples have used a large number of known vulnerabilities to deliver samples. Additionally, the maximum number of targets has been observed to exceed 300 per day.
The exploited flaws impact a wide range of devices, including routers and networking gear, from numerous vendors. Some of the affected vendors and their products include: Apache (ActiveMQ, Hadoop, Log4j, RocketMQ), Cacti, Cisco, D-Link, DrayTek, Totolink, FreePBX, GitLab, Gocloud, Huawei, Jenkins, ThinkPHP, Linksys, Metabase, NETGEAR, Realtek, Seagate, SonicWall, Tenda, TP-Link, ZTE, and Zyxel.
The majority of CatDDoS’s targets have been observed in the United States, France, Germany, Brazil, and China. The impacted sectors span cloud services, education, scientific research, information transmission, public administration, and construction, among others.
CatDDoS is a variant of the infamous Mirai malware, originally named for its use of “cat” and “meow” in early domain names and samples. The botnet first emerged in August 2023 and has since evolved in sophistication. It employs the ChaCha20 encryption algorithm to secure communications with its command-and-control (C2) server and uses an OpenNIC domain for its C2 operations, a tactic designed to evade detection.
The researchers noted that CatDDoS shares the same key/nonce pair for the ChaCha20 algorithm with three other DDoS botnets: hailBot, VapeBot, and Woodman, suggesting a possible connection or the same origin.
Based on observations of related activities on Telegram channels, the researchers suspect that CatDDoS might have been shut down in December of the previous year. This is evidenced by the deletion of the message history in the Aterna botnet's channel, including a shutdown notification from the author.
Despite the shutdown, the sale or leak of CatDDoS's source code has led to the emergence of new variants, such as RebirthLTD, Komaru, and Cecilio Network, indicating that the threat continues to evolve and proliferate.
