A Turkish hacking crew is luring participants to join its DDoS platform to compete with peers to earn redeemable points that are exchangeable for hacking tools and click-fraud software. The goal, security researchers say, is to “gamify” DDoS attacks in order to attract a critical mass of hackers working toward a unified goal.
The hacking platform is called Surface Defense and is being promoted in Turkish-language Dark Web forums including Turkhackteam and Root Developer, according to Forcepoint Security Labs, the security firm that first uncovered and reported the DDoS platform.
Promoters of Surface Defense are actively recruiting Turkish hackers that may be sympathetic to Turkish nationalist beliefs, Forcepoint believes. Targets of the DDoS attacks range from the Kurdistan Workers Party, German Christian Democratic Party and the Armenian National Institute website in Washington D.C., said Carl Leonard, principal security analyst at Forcepoint. “It’s unclear if those behind the Surface Defense platform are indeed politically motivated or they are simply using politics as a marketing tool to lure hackers into their network.”
Forcepoint believes that this is the first time a hacker has “gamified” a hacking platform to the extent that participants compete against one another and can compare scores and redeem points for rewards on a single service.
Hackers are recruited via Turkish Dark Web hacker forums, and to participate in the program they must download the Surface Defense collaboration program and register. Surface Defense runs locally on a computer. Users congregate online within the program and can communicate and compare points they earn.
Next, participants are required to download a DDoS attack tool called Sledgehammer. Sledgehammer is software that comes preconfigured to perform HTTP-based Slowloris-type DDoS assaults against 24 preselected sites determined by the software’s author.
“Those who appear on this target list appear to be there for political reasons… Users receive a point for every 10 minutes they attack one of the websites,” according to Forcepoint, which on Wednesday released its report.
Sledgehammer utilizes the PC’s resources to conduct the attack, routing DDoS traffic through the anonymizing Tor service. Currently, there is little evidence that the hacking group has successfully knocked a targeted site offline. “We believe that those behind Sledgehammer are in the participant acquisition phase and are trying to reach critical mass,” Leonard said.
Threatpost contacted one Sledgehammer target, the Armenian National Institute, which said it was unaware of any recent attempted site disruptions.
Once a participant achieves a certain level of points they are awarded an unlocked version of Sledgehammer that they can customize and re-distributed to conduct DDoS attacks themselves.
The zinger for participating hackers, Forcepoint said, is that Sledgehammer has an unadvertised backdoor that allow the program’s authors to access computers running the DDoS software. According to researchers:
“The backdoor is a very small Trojan and its sole purpose is to download, extract and execute another .NET assembly from within a bitmap image. It also downloads a secondary ‘guard’ component which it installs as a service. This ‘guard’ component ensures that if the backdoor is deleted then it will be re-downloaded and also installed as a service.”
The bitmap image downloaded by the backdoor, using steganography to hide code, contains the embedded .NET assembly. “The first pixel’s ARGB value indicates the size of the payload, and the rest of the image contains the payload itself,” Forcepoint said.
Hackers are also rewarded with a “Trojanized Adfly click fraud bot that includes code snippets for generating revenue via the Adfly,” Forcepoint said. Adfly is a legitimate web page redirection service that shows interstitial ads and allows people to generate revenue via clicks. Forcepoint said that the “click fraud” bots are specially crafted to be used to generate revenue on pay-to-click sites such as Ojooo, PTCFarm and Neobux.
Researchers said it is unclear how hackers leverage the malicous Adfly version to make money, if at all. Leonard said there are strong indicators that the hacked version of the Adlfy component does not work. However, according to Forcepoint, the Adfly also contains the same backdoor as the DDoS tool Sledgehammer.
Leonard believes the authors behind the platform go by the handle “Mehmet.” He said two YouTube channels tied to a user named Mehmet contain Sledgehammer tutorials and information on the Root Developer hacker forum.
“Surface Defense creates a very unique hacker community we have never seen before. This system has been very cleverly designed to appeal to participants with multiple motivations. But ultimately the participants can be backdoored themselves and become a victim to attack,” Leonard said.