Weike Lu, ThreatBook

In recent years, there has been a significant rise in DDoS attacks in China. Our team of analysts have been researching DDoS Attack Groups with long-term activities for years. Among all the groups, Fei Fan, MyKings, SSHPsychos are the most representative. In our session we introduced the basic situation of these groups, the major tools and techniques are described in detail.

FeiFan: A small-scale group that has been engaged in a variety of dark industry to profit since 2016. Because the C&C domain name the group registered contains the string of “feifan” or the main attacker’s nickname, we named the group “Feifan”. The word “feifan” in Chinese means “extraordinary”. FeiFan widely uses “Nitol” malware for malicious activities.

MyKing: The group can be traced back to January 2011. Since the C&C domain name used by the group often contains the string of “MyKing”, we named it “MyKing”. The malware “MyKing” has used including Gh0st, DarkShell, Windows Mirai and ForShare. Recently it began to use MS17-010 vulnerabilities (EternalBlue) to spread. “MyKing” mainly uses open source trojan and common vulnerabilities to attack. With a certain development capacity, the service providers and servers of its C&C domains are located abroad, and began to use privacy protection services. The group’s has a strong sense of anti-reconnaissance.

SSHPsychos: The group can be traced back to December 2009, and the attack has been active since late 2013. Because the group usually uses SSH brute force attacks to break into the server, foreign security vendors named it “SSHPsychos”. The group has a large scale and operates for more than 8 years. SSHPsychos has the ability of code development and exploitation. It is mainly engaged in DDoS attacks, private server for online games and other related businesses. SSHPsychos’s related samples were once running only on Windows platform, Linux version began to appear since April 2013. Attacks were reduced in 2015 as Internet service provider and security vendors cooperated to combat, but are still active.