Image: iStock/bagotaj

Botnets, especially botnets-for-hire, are lowering the bar to technology access for those seeking to launch distributed denial of service — or DDoS — attacks, run crypto mining operations, create spamming exploits and spin up other nefarious applications. Botnets are also getting easier to build and deploy because, like legitimate software development, malicious botnets can be created using existing codebases.

One example of how little technical sophistication is required is the botnet dubbed Dark Frost by researchers at Akamai web services. In spite of its use of cobbled-together code from older botnets, Dark Frost has roped in over 400 compromised devices for exploits.

According to Allen West, a security researcher on Akamai’s Security Intelligence Response team, the financially motivated actor is targeting gaming platforms to attract attention from a large audience.

SEE: Akamai looks at fake sites, API vulnerabilities (TechRepublic)

“It is crucial that the security community starts acknowledging low-level actors such as these in their infancies before they grow into major threats,” West wrote in a blog about the attack, adding that Dark Frost isn’t hard to track because of their attention seeking.

According to research by West and other researchers looking at social media and Reddit, the actor behind the Dark Frost botnet is likely in their early 20s, is probably based in the U.S. and probably is not a state-aligned actor. West said that this attacker is probably a single individual, they are interacting with a small group of like-minded hackers to share code.

Jump to:

Gaming platforms are target for hackers seeking attention

According to Akamai researchers, the Dark Frost actor’s gaming-industry exploits includes targeting game server hosting providers, online streamers, modders (people who modify commercial games to make them more compelling and relevant) and other members of the community.

West noted that the proliferation of modders on custom servers makes them a large, easy target because they have few defenses and aren’t typically paying for large-scale protection.

SEE: How Google is fighting these DDoS threats (TechRepublic)

“Modders are starting to address [cyber threats], and there are a couple of open-source free options for security, but these actors aren’t targeting ones they think have good protection,” said West.

Monetizing DDoS

According to the research the Dark Frost actor is selling the tool as DDoS-for-hire exploit and as a spamming tool.

“This is not the first exploit by this actor,” said West, who noted that the attacker favors Discord to openly tout their wares and brag. “He was taking orders there, and even posting screenshots of their bank account, which may or may not be legitimate.”

To make Dark Frost, just add codebases and mix

The Dark Frost botnet uses code from the infamous Mirai botnet, which West said was easy to obtain, and highly effective in exploiting hundreds of machines, and is therefore emblematic of how, with source code from previously successful malware strains and AI code generation, someone with minimal knowledge can launch botnets and malware.

“The author of Mirai put out the source code for everyone to see, and I think that it started and encouraged the trend of other malware authors doing the same, or of security researchers publishing source code to get a bit of credibility,” said West. “Some people think DDoS is a thing of the past, but it is still causing damage.”

According to Akamai, the botnet:

  • Is modeled after Gafgyt, Qbot, Mirai, and other malware strains and has expanded to encompass hundreds of compromised devices.
  • Has an attack potential of approximately 629.28 Gbps with using the User Datagram Protocol.

Lowering the botnet bar

West told TechRepublic that the codebases for botnets and exploits known to be effective are an easy get.

“On public repositories it’s easy to find malware that has worked effectively in the past and string together something with very minimal effort,” he said. “Dark Frost is the perfect example; and how brazenly they talk about it just adds to the picture of someone who doesn’t really get what they are doing or the implications of their actions.”

The actor touted illegal services and left took few measures to remain hidden.

“It is fame seeking money seeking fame. If we look at all the malware that comes in, this one stuck because he literally signed it, and I found eight different social media platforms talking about these attacks,” West said.

The main takeaway, said West, is that, with minimal effort, the author of Dark Frost has been successful at causing damage and is aiming to organize malefactors to scale up the exploit’s capabilities.

“Security companies and just companies in general should start recognizing these threats in their infancy in order to stop them down the road when it’s an even bigger problem,” he said.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday