| Category:
Malware Intelligence |
Type/Family:
Distributed Denial-of-Service |
Motivation:
Hacktivism |
Industry:
Multiple |
Executive Summary
| THREAT |
IMPACT |
MITIGATION |
- Mysterious team's powerful multi-threading DDoS tool capable of server takedown, wifi attack, and application layer attacks
- Tool also allows connecting to a client via botnets.
|
- Significant downtime for the targeted website and server
- Loss of brand reputation.
- Hosting issues for other websites being hosted on the same server.
|
- Implement anti-DDoS protection on the server.
- Use IP geo-blocking in case of an attack.
|
Analysis and Attribution of Raven Storm Tool
Information from the Post
- CloudSEK’s contextual AI digital risk platform XVigil discovered a post by the Mysterious Team announcing the use of the Raven Storm tool DDoS attacks.
- The tool uses multi-threading for sending multiple packets at a single moment of time and getting the target down.
Features
Raven Storm is a powerful application layer DDoS tool with the following features:
- Attacks layers 3, 4, and 5 of the application layer.
- Coded Python3 and can efficiently deal with robust servers.
- Requires multiple instances like botnets to operate successfully.
- Uses a CLIF framework to operate.
- Does not require any ‘sudo’, ‘su’, or root permissions.
- The backbone of the primary python file ‘main.py’ is the modules script which is:
- L3: Ping target host using ICMP protocol
- L4: Ping target host using UDP/TCP protocol
- L7: Ping target host over HTTP Protocol
- Server: To launch DDoS attacks against a target website.
- ARP: For ARP Spoofing
- Wifi: To launch the attack module for Wifi attacks.
Attack Modules
- 8 different modules are present for carrying out different types of attacks such as server takedown, wifi attack, application layer attack, etc.
- The table below contains the list of attacks along with the module used to execute them.
| Method |
Module |
| Ping |
L3 |
| UDP/TCP Services |
L4 |
| Websites |
L7 (Flood Module) |
| Local Devices |
ARP |
| Wifi |
Bl |
| Botnet |
Server |
- The tool is capable of taking down hosts and servers.
- It can be optimized and integrated to perform more substantial attacks.
Execution
- To a successful DDoS attack via botnet requires the following:
- A URL is provided to the user while executing a DDoS attack, to connect to the botnet.
- The user has to execute the command “server” and define a custom password for using this botnet, thereby preventing others from interfering.
- The ARP module uses a lot of Nmap features to scan for local devices. Hence, this module requires the user to have Nmap pre-installed.
- The attack begins once the user enters the required code (L3, L4, etc) and the target host (IP address).
- A request is sent to the target host to see if it is responsive; if it is, the attack is launched.
DDoS Module
- The server module (that carries out the DDOS Attacks) takes the following as input from the user:
- Server password configured by the user.
- Host IP
- The server then sends a GET packet to the host.
- An error message is returned if the session code is not 200. Here, 200 session code means that the host was reachable and able to communicate.
- Once confirmed, the server module begins the attack. The server module can carry out 500 GET requests at a time.
- If it is unable to, then the sleep function is invoked to have a pause of a second.
Impact & Mitigation
| Impact |
Mitigation |
- Significant amount of downtime for the website and the hosting server.
- Loss of brand reputation and image.
- Server and hosting issues for other websites hosted on the same server.
- Follow-up attack by the threat actor groups abusing a vulnerability on the domain side or server side.
|
- Implement anti-DDoS protection on the server.
- Use IP geo-blocking in case of an attack
- Patch vulnerable and exploitable endpoints.
- Monitor for anomalies in user accounts, which could indicate possible account takeovers.
- Monitor cybercrime forums for the latest tactics employed by threat actors.
|
References
Appendix
[caption id="attachment_20404" align="alignnone" width="727"]
Screenshot of the Raven Storm tool being used by Mysterious Team for DDoS attacks[/caption]
[caption id="attachment_20405" align="aligncenter" width="967"]
Various options for different attacks in the code[/caption]
[caption id="attachment_20406" align="alignnone" width="1052"]
Python code illustrating the input and output for the server module with status code verification[/caption]
[caption id="attachment_20407" align="alignnone" width="1200"]
The scanner module inside the server module equates to 500 data packet requests in the code[/caption]
[caption id="attachment_20408" align="alignnone" width="705"]
A sample of how the tool is used for DDoS attack, with an IP and the Thread count[/caption]
