MAR-10132963.pdf (172 KB)

US-CERT analyzed three files associated with DeltaCharlie attack malware that combine backdoor command-and-control capability with DDoS attack functions. One Windows executable installs a packet driver and a service named netplug, uses the mutex \Global\NetplugDiscovery0.7, and loads a configuration resource that derives the C2 address 202.126.90.89 from a hard-coded IP value. The bot can download and execute files, update modules, change configuration, self-delete through msvcrt.bat, and start or stop attacks. Supported attack modes include NTP, DNS, and carrier-grade NAT UDP-flood activity, with local logs recording installation, C2 connection, and attack execution events.