Fodcha is a new DDoS botnet family targeted Linux IoT devices. After it was firstly detected in January 2022, 4 versions of 250+ samples have been observed by us, from which over 140 C&C domains were extracted. Most of the C&C servers have been successfully contacted by our command tracking system, with over 39K unique victims detected from the 114M received attacking commands.
The data we collected includes various interesting information such as botnet scales, operations exploits, and attack methods. Detailed studies have been carried on the collected data in terms of C&C communications, attack methods, and victims. Attempts of estimating the botnet scales were also done by analyzing real attacking traffic from Fodcha. By reading an accidentally obtained copy of Fodcha C&C panel source, we even had the chance to investigate how the botmasters managed their botnets and sold their attacking service to others. We think the analysis we did would help to better detect and mitigate similar threats in the future.