- The 40+ best Black Friday PlayStation 5 deals 2024: Deals available now
- The 25+ best Black Friday Nintendo Switch deals 2024
- Why there could be a new AI chatbot champ by the time you read this
- The 70+ best Black Friday TV deals 2024: Save up to $2,000
- This AI image generator that went viral for its realistic images gets a major upgrade
Threat Actor Deploys Raven Storm Tool to Perform DDoS Attacks
The threat actor dubbed ‘Mysterious Team’ has used the Raven Storm tool to conduct distributed denial-of-service (DDoS) attacks against multiple targets.
The news comes from CloudSEK, who detailed the new threat in an advisory on Sunday.
“[Our] contextual AI digital risk platform XVigil discovered a post by the Mysterious Team announcing the use of the Raven Storm tool DDoS attacks,” reads the document. “The tool uses multi-threading for sending multiple packets at a single moment of time and getting the target down.”
Additionally, the malware is reportedly capable of server takedown, Wi-Fi attacks and application layer attacks. It also gives attackers the ability to connect to a client via botnets.
From a technical standpoint, Raven Storm attacks layers 3 (network), 4 (transport), and 5 (application) of the application layer.
The malware is coded in Python, uses a CLIF framework to operate, and can efficiently deal with robust servers. It also works at a user level (not requiring any ‘sudo,’ ‘su,’ or root permissions), which makes it particularly dangerous.
At the same time, CloudSEK said its security researchers believe Raven Storm requires multiple instances like botnets to operate successfully.
In terms of how the attack is executed, Raven Storm requires a URL to be provided to the attacker, who will use it to connect it to the botnet. The attacker would then execute the command “server” and define a custom password for using this botnet, thus preventing others from interfering.
For context, the ARP module uses several Nmap features to scan for local devices, so this module requires the user to have Nmap pre-installed.
“The attack begins once the user enters the required code […] and the target host (IP address),” reads the advisory. “A request is sent to the target host to see if it is responsive; if it is, the attack is launched.”
To mitigate the impact of Raven Storm attacks, CloudSEK advised system administrators to implement anti-DDoS protection on the server and use IP geo-blocking in case of an attack.
The security experts also advised companies to patch vulnerable and exploitable endpoints, monitor for anomalies in user accounts and monitor cybercrime forums for the latest tactics employed by threat actors.