Qihoo 360 researchers have found a rapidly spreading new botnet called Fodcha which is capable of performing over 100 attacks every day.
Employing this new malware, the threat actor is attacking routers, DVRs, and servers. The actors were able to infect nearly 62,000 machines with the Fodcha virus in less than a month, as per the researchers.
360 Netlab reports that the number of unique IP addresses affiliated with the botnet fluctuates, as they are monitoring a 10,000-strong Fodcha army of bots utilizing Chinese IP addresses every day, with the majority of them using China Unicom (59.9%) and China Telecom (59.9%) services (39.4 percent ).
Researchers alleged that "Based on firsthand data from the security industry with whom we collaborated, the frequency of live bots is more than 56000." "The global infection appears to be quite large, as there are over 10,000 daily active bots (IPs) in China, as well as over 100 DDoS victims are targeted daily."
The Fodcha infects devices by exploiting n-day vulnerabilities in many devices and employing the Crazyfia brute-force cracking tool.
The botnet targets a variety of devices and services, including but not limited to:
RCE for Android ADB Debug Server
CVE-2021-22205 on GitLab
CVE-2021-35394 in the Realtek Jungle SDK
JAWS Webserver unverified shell command execution on MVPower DVR
LILIN DVR RCE: LILIN DVR
TOTOLINK Routers: Backdoor TOTOLINK Routers
ZHONE Router: Web RCE ZHONE Router
After successfully acquiring access to susceptible Internet-exposed devices samples, Fodcha attackers use Crazyfia result data to deploy malware payload. The botnet samples, according to 360 Netlab, target MIPS, MPSL, ARM, x86, and other CPU platforms.
The botnet used the folded[.]in command-and-control (C2) domain from January 2022 until March 19, when it switched to fridgexperts[.]cc when the cloud vendor took down the essential C2 domain.
"The switch from v1 to v2 is due to a cloud vendor shutting down the C2 servers corresponding to the v1 version, leaving Fodcha's operators with no alternative but to re-launch v2 and upgrade C2," the researchers reported.
"The new C2 is mapped to over a dozen IP addresses and is scattered across different countries, including the United States, Korea, Japan, and India." It also includes more cloud providers, including Amazon, DediPath, DigitalOcean, Linode, and others.