Several brand-new features were found in this revamped version of the botnet. These features include ransom demands that are injected into packets, as well as evasion tools to hide the infrastructure from detection.
A number of updates and developments have been quietly made to the botnet since April 2022. This means that the threat is constantly evolving and becoming more dangerous threat with every passing day.
There has been an unprecedented amount of growth in Fodcha version 4, which is the latest version of the botnet. At the moment, the team behind the botnet is taking some major steps to stop any further investigation after the last report provided by Netlab.
China and the United States both have darker colors, which can be attributed to the fact that they have been attacked more frequently than the other countries.
However, the botnet’s influence already extends around the globe, infecting systems in the following countries:-
There are two versions of Fodcha that use the parallel configuration organization method, V2.X, and V3. The structured Config organization method is used in both V4 and V4.X when it comes to the configuration.
It is imperative to note that the organization methods of Config are completely different, but, the encryption method is similar.
Ransom Demands & Telecommunication
As far as the code level of Fodcha’s network communication is concerned, the feature is very fixed. The network communication of Fodcha involves 4 primary steps and the following steps are involved in Fodcha’s network communication:-
- decrypt C2
- DNS query
- erected communication
- execute instruction
Fodcha is making money by renting its firepower to other threat actors who wish to launch DDoS attacks. Rather than having its own weapons, Fodcha rents out its firepower to other threat actors so that it can make money.
Moreover, extortion is also included in this version where a Monero ransom is demanded in order to stop the attacks from going forward.
A DDoS packet analyzed by Netlab has led Fodcha to request that victims pay 10 XMR (Monero) to the attacker, which equals roughly $1,500 based on the amount of XMR requested from victims.
The threat actors demand Monero because it is a privacy coin, which means that the transaction can not be traced much more easily. In consequence, XMR is commonly requested as a payment method by ransomware gangs and other threat actors.