A Turkish cyberattack group is luring individuals to join a DDoS platform to compete for points through games which can be redeemed for hacking tools.
The platform, dubbed Surface Defense, asks hackers to attack political websites using a distributed denial-of-service (DDoS) tool called Balyoz, translated as Sledgehammer.
In order to participate, users recruited from hacking forums must download the Surface Defense collaboration software and register. The platform program then runs locally on a PC, prompting the download of the DDoS attack tool to assault the limited list of target websites.
Traffic is then routed through Tor to disrupt online services.
For every ten minutes spent hammering these websites with fraudulent traffic, participants receive one point which can be traded for tools including a standalone version of Sledgehammer for conducting their own DDoS attacks and “click-fraud” bots used to generate revenue through pay-to-click schemes.
In order to encourage healthy competition, the platform also runs a live scoreboard. Some users have already racked up hundreds of points.
According to Forcepoint Security Labs (.PDF) which discovered the scheme in Turkish Dark Web hacking forums Turkhackteam and Root Developer, a total of 24 websites are on the current list of targets.
Kurdish media, a website owned by the Armenian National Institute, the German Christian Democratic Party website, and Israeli domains are all included.
However, it is not a free-for-all for Surface Defense participants.
Each user has to communicate with the Surface Defense command-and-control (C&C) center to authenticate themselves and the program will not run in virtual machines — preventing hackers from running the platform on multiple systems at the same time to rack up additional points.
The platform software also includes a hidden backdoor which allows the Surface Defense operator to “hack the hackers” in turn, which raises questions concerning the operator’s true motives.
“The backdoor is a very small Trojan and its sole purpose is to download, extract and execute another .NET assembly from within a bitmap image,” the researchers say. “It also downloads a secondary ‘guard’ component which it installs as a service. This ‘guard’ component ensures that if the backdoor is deleted then it will be re-downloaded and also installed as a service.”
The researchers believe that the operator may act under the handle “Mehmet” and runs two YouTube channels which advertise the Sledgehammer DDoS tool.
Carl Leonard, principal security analyst at Forcepoint told Threat Post:
“Surface Defense creates a very unique hacker community we have never seen before. This system has been very cleverly designed to appeal to participants with multiple motivations.
But ultimately the participants can be backdoored themselves and become a victim to attack.”