|Category: Malware Intelligence||Type/Family: Distributed Denial-of-Service||Motivation: Hacktivism||Industry: Multiple|
- CloudSEK’s contextual AI digital risk platform XVigil discovered a post by the Mysterious Team announcing the use of the Raven Storm tool DDoS attacks.
- The tool uses multi-threading for sending multiple packets at a single moment of time and getting the target down.
- Attacks layers 3, 4, and 5 of the application layer.
- Coded Python3 and can efficiently deal with robust servers.
- Requires multiple instances like botnets to operate successfully.
- Uses a CLIF framework to operate.
- Does not require any ‘sudo’, ‘su’, or root permissions.
- The backbone of the primary python file ‘main.py’ is the modules script which is:
- L3: Ping target host using ICMP protocol
- L4: Ping target host using UDP/TCP protocol
- L7: Ping target host over HTTP Protocol
- Server: To launch DDoS attacks against a target website.
- ARP: For ARP Spoofing
- Wifi: To launch the attack module for Wifi attacks.
- 8 different modules are present for carrying out different types of attacks such as server takedown, wifi attack, application layer attack, etc.
- The table below contains the list of attacks along with the module used to execute them.
|Websites||L7 (Flood Module)|
- The tool is capable of taking down hosts and servers.
- It can be optimized and integrated to perform more substantial attacks.
- To a successful DDoS attack via botnet requires the following:
- A URL is provided to the user while executing a DDoS attack, to connect to the botnet.
- The user has to execute the command “server” and define a custom password for using this botnet, thereby preventing others from interfering.
- The ARP module uses a lot of Nmap features to scan for local devices. Hence, this module requires the user to have Nmap pre-installed.
- The attack begins once the user enters the required code (L3, L4, etc) and the target host (IP address).
- A request is sent to the target host to see if it is responsive; if it is, the attack is launched.
- The server module (that carries out the DDOS Attacks) takes the following as input from the user:
- Server password configured by the user.
- Host IP
- The server then sends a GET packet to the host.
- An error message is returned if the session code is not 200. Here, 200 session code means that the host was reachable and able to communicate.
- Once confirmed, the server module begins the attack. The server module can carry out 500 GET requests at a time.
- If it is unable to, then the sleep function is invoked to have a pause of a second.