Threat Actor Deploys Raven Storm Tool to Perform DDoS Attacks

Written by

The threat actor dubbed 'Mysterious Team' has used the Raven Storm tool to conduct distributed denial-of-service (DDoS) attacks against multiple targets.

The news comes from CloudSEK, who detailed the new threat in an advisory on Sunday.

“[Our] contextual AI digital risk platform XVigil discovered a post by the Mysterious Team announcing the use of the Raven Storm tool DDoS attacks,” reads the document. “The tool uses multi-threading for sending multiple packets at a single moment of time and getting the target down.”

Additionally, the malware is reportedly capable of server takedown, Wi-Fi attacks and application layer attacks. It also gives attackers the ability to connect to a client via botnets.

From a technical standpoint, Raven Storm attacks layers 3 (network), 4 (transport), and 5 (application) of the application layer. 

The malware is coded in Python, uses a CLIF framework to operate, and can efficiently deal with robust servers. It also works at a user level (not requiring any ‘sudo,' ‘su,' or root permissions), which makes it particularly dangerous.

At the same time, CloudSEK said its security researchers believe Raven Storm requires multiple instances like botnets to operate successfully.

In terms of how the attack is executed, Raven Storm requires a URL to be provided to the attacker, who will use it to connect it to the botnet. The attacker would then execute the command “server” and define a custom password for using this botnet, thus preventing others from interfering.

For context, the ARP module uses several Nmap features to scan for local devices, so this module requires the user to have Nmap pre-installed.

“The attack begins once the user enters the required code [...] and the target host (IP address),” reads the advisory. “A request is sent to the target host to see if it is responsive; if it is, the attack is launched.”

To mitigate the impact of Raven Storm attacks, CloudSEK advised system administrators to implement anti-DDoS protection on the server and use IP geo-blocking in case of an attack.

The security experts also advised companies to patch vulnerable and exploitable endpoints, monitor for anomalies in user accounts and monitor cybercrime forums for the latest tactics employed by threat actors.

What’s hot on Infosecurity Magazine?