Researchers believe Dark Frost was created using stolen/leaked source code from Qbot, Gafgyt, and Mirai malware to carry out DDoS attacks.
Web infrastructure company Akamai’s Security Intelligence Response Team has discovered a new botnet targeting the gaming industry with DDoS attacks.
Akamai security researcher Allen West explained that they had dubbed this botnet Dark Frost. Per their analysis, this botnet is similar to several previously discovered botnets and malware strains, including Qbot, Gafgyt, and Mirai. Researchers believe Dark Frost was created using stolen code from these strains to allow attackers to carry out DDoS attacks successfully.
How Was it Discovered?
Akamai flagged the botnet in February 2023, but they believe the attacker has been active since May 2022. When Akamai researchers reverse-engineered the botnet, its potential was reported at 629.28 Gbps via a UDP flood attack. The first binary sample was collected on February 28 in Akamai SIRT’s HTTP Honeypots.
Reportedly, the threat actor targeted misconfigurations in Hadoop YARN servers, which enabled them to conduct remote code execution. This YARN misconfiguration has existed since 2014 but has yet to be assigned a CVE, so attackers can trick the server into downloading/running their malicious binary.
According to Akamai’s blog post, the most prominent targets of Dark Frost include gaming companies, online streaming services, game server hosting providers, and gaming community members. In fact, researchers noted that the attacker has directly interacted with these members.
What is the Motive?
Researchers could not determine the exact motive of this campaign, but they suspect it is geared toward attention-seeking. Interestingly, the threat actor has even published live recordings of the attacks.
They have also been boasting about these attacks on social media, too, claiming they used the botnet to settle scores with adversaries and leave digital signatures on binary files. The actor has also created a Discord channel to offer DDoS services in exchange for money, which indicates this campaign could also be financially motivated.
Rapidly Increasing Army of Bots
Typically, botnets comprise hundreds and thousands of compromised devices located worldwide. In Dark Frost’s case, it has included hundreds of compromised devices within a short period. Until February 2023, this botnet had 414 compromised machines running different instruction set architectures, including x86, ARMv4, ARM7, MIPSEL, and MIPS.