CatDDoS Botnet Wreaks Havoc: 80+ Vulnerabilities Exploited
Over the past three months, hackers behind the CatDDoS botnet have exploited over 80 known vulnerabilities in various software products to infect devices and incorporate them into their network for conducting Distributed Denial-of-Service (DDoS) attacks.
According to researchers from QiAnXin, samples associated with CatDDoS leverage numerous known vulnerabilities, with the maximum number of targets attacked in a single day exceeding 300.
The vulnerabilities affect routers, network equipment, and other devices from manufacturers such as Apache (ActiveMQ, Hadoop, Log4j, and RocketMQ), Cacti, Cisco, D-Link, DrayTek, FreePBX, GitLab, Gocloud, Huawei, Jenkins, Linksys, Metabase, NETGEAR, Realtek, Seagate, SonicWall, Tenda, TOTOLINK, TP-Link, ZTE, and Zyxel.
CatDDoS was first described by QiAnXin and NSFOCUS in late 2023 as a variant of the Mirai botnet, capable of executing DDoS attacks using UDP, TCP, and other methods. First discovered in August 2023, this malware was named for strings like “catddos.pirate” and “password_meow” found in the command center domains.
Most of the attacked targets are located in China, the United States, Japan, Singapore, France, Canada, the United Kingdom, Bulgaria, Germany, the Netherlands, and India.
In addition to using the ChaCha20 algorithm to encrypt communication with the command center, the botnet employs OpenNIC domains to evade detection. This method was previously used by another Mirai-based botnet known as Fodcha.
CatDDoS also shares the same key and nonce pair for the ChaCha20 algorithm as three other botnets: hailBot, VapeBot, and Woodman.
According to QiAnXin XLab, CatDDoS attacks target cloud services, education, scientific research, information technology, government, construction, and other sectors.
It is believed that the malware authors ceased operations in December 2023 but before doing so, they put the source code up for sale in a specialized Telegram group.
Due to the sale or leakage of the source code, new variants of botnets have emerged, such as RebirthLTD, Komaru, and Cecilio Network. Even though different variants may be operated by different groups, there are few changes in the code, communication design, and decryption methods.
The proliferation of the CatDDoS botnet and similar threats underscores the importance of timely vulnerability remediation, continuous threat monitoring, and international cooperation in cybersecurity to protect digital infrastructure.
