Zscaler ThreatLabZ recently discovered a new DoS family bot named Sieren. A denial-of-service (DoS) attack is a cyber-attack in which cybercriminals disrupt the service of a host connected to the internet, either temporarily or indefinitely, to its intended users. In this analysis, we'll describe Sieren's functionality and communication, its 10 DoS methods, its bot commands, and its IoCs.
Functionality
Sieren is capable of performing HTTP, HTTPS, and UDP flooding on any web server location as instructed by the command-and-control (C&C) server.
- HTTP flood
- HTTPS flood
- UDP flood
Network communication
Sieren starts communication with the server by sending system information.
Data is separated by the “&” symbol.
- ping
- User Name
- Machine Name
- OS version
- Processor architecture (If 32 bit then 0 else 1)
- MD5 of the above data
In response, the C&C server sends a target URL for performing a DoS attack. Data is separated by the “&” symbol.
- pong
- 60: used for sleep (60 * 1000 millisecond)
- Task_ID = 260
- Method = 2
- Target = https://deti-online.com/
- Type = GET
- Threads = 100
- Sleep = 100
- Port = 0
- Sockets = 0 (number of sockets)
- Size = 0 (size of data sent through packet during Dos)
- CreatedAT = Timestamp
- Data = Empty (data sent through packet during DoS)
The malware is capable of performing a DoS attack against the target URL using different methods. The variant we analyzed has 10 methods supported for flooding, and it chooses the method based on data received from the C&C server.
In the above instance, we saw that a Russian education material website (https://deti-online[.]com) was the intended target for this bot. We also identified other locations, such as forum.exlpoit[.]in and x3p0[.]xyz, as the DoS targets from the C&C server during our analysis.
The Sieren bot selects the DoS method based on data received from the C&C server. Below are the parameters used in these methods:
| Method | Task_ID | Target | Type(GET/POST) | No. of threads | Sleep | Data | No. of Sockets | Port | Size of data |
| 1 | Yes | Yes | Yes | Yes | Yes | ||||
| 2 | Yes | Yes | Yes | Yes | |||||
| 3 | Yes | Yes | Yes | ||||||
| 4 | Yes | Yes | Yes | Yes | |||||
| 5 | Yes | Yes | Yes | ||||||
| 6 | Yes | Yes | Yes | Yes | |||||
| 7 | Yes | Yes | Yes | Yes | |||||
| 8 | Yes | Yes | Yes | Yes | Yes | ||||
| 9 | Yes | Yes | Yes | Yes | |||||
| 10 | Yes | Yes | Yes | Yes |
The C&C server can specify the port, data, sleep time, sockets, and size of packets that will be used during flooding.
During flooding, a user agent is selected randomly from a predefined list, as shown below.
DoS methods supported by Sieren
Method 1:
In this method, the malware first gets the cookies for the target URL using InternetGetCookieEx and uses them in the HTTP header when generating flood requests. Based on the protocol (HTTP/HTTPS) and method (POST/GET), it starts sending multiple requests to the target URL.
The below screenshot contains code for generating the header part.
The below screenshot contains the HTTP flooding code:
The below screenshot contains the HTTPS flooding code:
Method 2:
The malware creates 50 sockets and sends 50 HTTP requests before executing a sleep command with the value supplied by the C&C server. It will repeat this process until taskID is active.
Method 3:
This method is similar to method 2, but the bot won’t sleep after every 50 requests.
Method 4:
In this method, the bot will use data supplied by the C&C server in the flood requests to the target URL.
Method 5:
In this method, the bot will also accept a response during the flooding of the target URL, after which it will sleep for 100 seconds. Then it again starts sending flood requests to the target URL.
Method 6:
This method is called when the number of sockets and port is specified by the C&C server. In this method, the bot will not send HTTP or HTTPS flood requests; instead, it opens multiple sockets for the target URL in an attempt to exhaust web server-side resources. It repeatedly closes and opens additional sockets to the target URL until taskID remains active.
Method 7:
This method is identical to Method 6 and appears to be a placeholder for a future update.
Method 8:
In this method, the bot will receive arguments such as the size of random data, number of sockets, and port information from the C&C server. The bot will generate random data based on specified size, open multiple sockets, and flood the target URL with the randomly generated data.
Method 9:
In this method, the C&C server will supply the size of random data and port information. The bot will generate random data and flood the target URL on the specified port.
Method 10:
This method is used for UDP-based flooding. The bot will send random data using the UDP protocol, and it sets the TTL (time to live) value between 220 and 225 for these packets.
The bot will stop performing flood requests once the C&C server stops sending additional commands.
Sieren bot commands:
Other than the DoS feature-related methods, the malware has three additional commands.
- “dlexec”: Download payload from the URL given by the C&C server and execute it.
- “update”: Download the updated version and execute it. It also deletes itself using the cmd process.
- “Uninstall”: Deletes itself using the cmd process.
Indicators of Compromise:
MD5
320A600147693B3D135ED453FAC42E82
URL
cx93835[.]tmweb.ru/rrljw91zqd.exe
burgerkingfanbase[.]net/great.php
