Raven Storm, the Multi-Threading Tool Employed by Hacktivists for DDoS Attacks

Summary

CloudSEK’s contextual AI digital risk platform XVigil discovered a post by the Mysterious Team announcing the use of the Raven Storm tool DDoS attacks. The tool uses multi-threading for sending multiple packets at a single moment of time and getting the target down.
Category: Malware Intelligence Type/Family: Distributed Denial-of-Service Motivation: Hacktivism Industry: Multiple

Executive Summary

THREAT IMPACT MITIGATION
  • Mysterious team's powerful multi-threading DDoS tool capable of server takedown, wifi attack, and application layer attacks
  • Tool also allows connecting to a client via botnets.
  • Significant downtime for the targeted website and server
  • Loss of brand reputation.
  • Hosting issues for other websites being hosted on the same server.
  • Implement anti-DDoS protection on the server.
  • Use IP geo-blocking in case of an attack.

Analysis and Attribution of Raven Storm Tool

Information from the Post

  • CloudSEK’s contextual AI digital risk platform XVigil discovered a post by the Mysterious Team announcing the use of the Raven Storm tool DDoS attacks.
  • The tool uses multi-threading for sending multiple packets at a single moment of time and getting the target down.

Features

Raven Storm is a powerful application layer DDoS tool with the following features:
  • Attacks layers 3, 4, and 5 of the application layer.
  • Coded Python3 and can efficiently deal with robust servers.
  • Requires multiple instances like botnets to operate successfully.
  • Uses a CLIF framework to operate.
  • Does not require any ‘sudo’, ‘su’, or root permissions.
  • The backbone of the primary python file ‘main.py’ is the modules script which is:
    • L3: Ping target host using ICMP protocol
    • L4: Ping target host using UDP/TCP protocol
    • L7: Ping target host over HTTP Protocol
    • Server: To launch DDoS attacks against a target website.
    • ARP: For ARP Spoofing
    • Wifi: To launch the attack module for Wifi attacks.

Attack Modules

  • 8 different modules are present for carrying out different types of attacks such as server takedown, wifi attack, application layer attack, etc.
  • The table below contains the list of attacks along with the module used to execute them.
Method Module
Ping L3
UDP/TCP Services L4
Websites L7 (Flood Module)
Local Devices ARP
Wifi Bl
Botnet Server
  • The tool is capable of taking down hosts and servers.
  • It can be optimized and integrated to perform more substantial attacks.

Execution

  • To a successful DDoS attack via botnet requires the following:
    • A URL is provided to the user while executing a DDoS attack, to connect to the botnet.
    • The user has to execute the command “server” and define a custom password for using this botnet, thereby preventing others from interfering.
  • The ARP module uses a lot of Nmap features to scan for local devices. Hence, this module requires the user to have Nmap pre-installed.
  • The attack begins once the user enters the required code (L3, L4, etc) and the target host (IP address).
  • A request is sent to the target host to see if it is responsive; if it is, the attack is launched.

DDoS Module

  • The server module (that carries out the DDOS Attacks) takes the following as input from the user:
    • Server password configured by the user.
    • Host IP
  • The server then sends a GET packet to the host.
  • An error message is returned if the session code is not 200. Here, 200 session code means that the host was reachable and able to communicate.
  • Once confirmed, the server module begins the attack. The server module can carry out 500 GET requests at a time.
  • If it is unable to, then the sleep function is invoked to have a pause of a second.

Impact & Mitigation

Impact Mitigation
  • Significant amount of downtime for the website and the hosting server.
  • Loss of brand reputation and image.
  • Server and hosting issues for other websites hosted on the same server.
  • Follow-up attack by the threat actor groups abusing a vulnerability on the domain side or server side.
  • Implement anti-DDoS protection on the server.
  • Use IP geo-blocking in case of an attack
  • Patch vulnerable and exploitable endpoints.
  • Monitor for anomalies in user accounts, which could indicate possible account takeovers.
  • Monitor cybercrime forums for the latest tactics employed by threat actors.

References

Appendix

Screenshot of the Raven Storm tool being used by Mysterious Team for DDoS attacks
Screenshot of the Raven Storm tool being used by Mysterious Team for DDoS attacks
 
Various options for different attacks in the code
Various options for different attacks in the code
 
Python code illustrating the input and output for the server module with status code verification
Python code illustrating the input and output for the server module with status code verification
 
The scanner module inside the server module equates to 500 data packet requests in the code
The scanner module inside the server module equates to 500 data packet requests in the code
 
A sample of how the tool is used for DDoS attack, with an IP and the Thread count
A sample of how the tool is used for DDoS attack, with an IP and the Thread count
   

Table of Contents

Request an easy and customized demo for free