Raven Storm, the Multi-Threading Tool Employed by Hacktivists for DDoS Attacks
August 21, 2022
•
4
min read
Category:
Malware Intelligence
Type/Family:
Distributed Denial-of-Service
Motivation:
Hacktivism
Industry:
Multiple
Executive Summary
THREAT
IMPACT
MITIGATION
Mysterious team’s powerful multi-threading DDoS tool capable of server takedown, wifi attack, and application layer attacks
Tool also allows connecting to a client via botnets.
Significant downtime for the targeted website and server
Loss of brand reputation.
Hosting issues for other websites being hosted on the same server.
Implement anti-DDoS protection on the server.
Use IP geo-blocking in case of an attack.
Analysis and Attribution of Raven Storm Tool
Information from the Post
CloudSEK’s contextual AI digital risk platform XVigil discovered a post by the Mysterious Team announcing the use of the Raven Storm tool DDoS attacks.
The tool uses multi-threading for sending multiple packets at a single moment of time and getting the target down.
Features
Raven Storm is a powerful application layer DDoS tool with the following features:
Attacks layers 3, 4, and 5 of the application layer.
Coded Python3 and can efficiently deal with robust servers.
Requires multiple instances like botnets to operate successfully.
Uses a CLIF framework to operate.
Does not require any ‘sudo’, ‘su’, or root permissions.
The backbone of the primary python file ‘main.py’ is the modules script which is:
L3: Ping target host using ICMP protocol
L4: Ping target host using UDP/TCP protocol
L7: Ping target host over HTTP Protocol
Server: To launch DDoS attacks against a target website.
ARP: For ARP Spoofing
Wifi: To launch the attack module for Wifi attacks.
Attack Modules
8 different modules are present for carrying out different types of attacks such as server takedown, wifi attack, application layer attack, etc.
The table below contains the list of attacks along with the module used to execute them.
Method
Module
Ping
L3
UDP/TCP Services
L4
Websites
L7 (Flood Module)
Local Devices
ARP
Wifi
Bl
Botnet
Server
The tool is capable of taking down hosts and servers.
It can be optimized and integrated to perform more substantial attacks.
Execution
To a successful DDoS attack via botnet requires the following:
A URL is provided to the user while executing a DDoS attack, to connect to the botnet.
The user has to execute the command “server” and define a custom password for using this botnet, thereby preventing others from interfering.
The ARP module uses a lot of Nmap features to scan for local devices. Hence, this module requires the user to have Nmap pre-installed.
The attack begins once the user enters the required code (L3, L4, etc) and the target host (IP address).
A request is sent to the target host to see if it is responsive; if it is, the attack is launched.
DDoS Module
The server module (that carries out the DDOS Attacks) takes the following as input from the user:
Server password configured by the user.
Host IP
The server then sends a GET packet to the host.
An error message is returned if the session code is not 200. Here, 200 session code means that the host was reachable and able to communicate.
Once confirmed, the server module begins the attack. The server module can carry out 500 GET requests at a time.
If it is unable to, then the sleep function is invoked to have a pause of a second.
Impact & Mitigation
Impact
Mitigation
Significant amount of downtime for the website and the hosting server.
Loss of brand reputation and image.
Server and hosting issues for other websites hosted on the same server.
Follow-up attack by the threat actor groups abusing a vulnerability on the domain side or server side.
Implement anti-DDoS protection on the server.
Use IP geo-blocking in case of an attack
Patch vulnerable and exploitable endpoints.
Monitor for anomalies in user accounts, which could indicate possible account takeovers.
Monitor cybercrime forums for the latest tactics employed by threat actors.