Wielding the Sledgehammer DDoS tool, wannabe attackers can volunteer their machines as bots, earning rewards for the amount of time they spend sending out malicious traffic to targeted websites.
Wielding the Sledgehammer DDoS tool, wannabe attackers can volunteer their machines as bots, earning rewards for the amount of time they spend sending out malicious traffic to targeted websites.

Like a malevolent customer loyalty program, a Turkish cybercriminal operation is recruiting volunteers to participate in distributed denial of service (DDoS) campaigns by offering them rewards in exchange for their network bandwidth.

The operation, translated into English as Surface Defense, uses incentives and gamification techniques to assemble a willing army of coordinated DDoS attackers, rather than relying on automated botnets composed of thousands of infected Internet-enabled devices. Researchers at computer security software company Forcepoint discovered the operation as well as the DDoS tool behind it, dubbed Sledgehammer (or Balyoz in Turkish).

“This is something brand new that we have never seen before, certainly to the extent of a gamified hacking platform where participants compete against one another and can compare scores, and redeem points that they earn for rewards,” Nicholas Griffin, Forcepoint senior security researcher, said in an email interview with SC Media.

According to a blog post and research report issued by Forcepoint on Wednesday, Sledgehammer's domestic and international targets are largely Kurdish in nature and typically espouse political viewpoints that run counter to Turkey's current government. Among the 24 targeted entities listed on Surface Defense's official online platform are the Kurdistan Working Party, the People's Democratic Party of Turkey, Kurdish left-wing organizations, Kurdish news and media organizations, the Christian Democratic Union of Germany (CDU), the Armenian National Institute's Armenian Genocide archives and the Other Israel Film Festival.

Forcepoint is unable to determine just how large the Sledgehammer army has grown since it formed in early 2016, but “we believe it was large enough to take down several of the websites that were attacked,” said Griffin.

“Having a volunteer army of bots is a great way to obfuscate the true source of the attack and make attribution more difficult,” said Gary Sockrider, principal security technologist at DDoS and advanced threat protection firm Arbor Networks, in an email interview with SC Media. “Compromised devices in a botnet that belong to innocent, unaware victims do not typically impart any culpability or malice to said owners. Willing participants are another matter and potentially create far more work for law enforcement.”

Attackers or “gamers” receive one point for every 10 minutes they spend bombarding a targeted website with malicious traffic. Eventually, gamers can swap these points for rewards, such as a click-fraud bot program that allows them to illicitly generate revenues from pay-to-click sites. Gamers can also win a scareware program called Nightware that pranks victims with starting images and noises, as well as a standalone version of the Sledgehammer tool, which enables gamers to attack any site of their choosing, in addition to those on Surface Defense's pre-approved list.

The site hosting the Surface Defense platform, which runs anonymously via Tor (thus protecting the operation's leader and recruits), even features a scoreboard where volunteers can see how their scores rank against other users. This competitive element draws in potential attackers, even if they don't necessarily believe in the political ideologies behind the DDoS campaign.

“Gamification is a tactic which can boost engagement by luring participants into an otherwise uninteresting activity,” said Travis Smith, senior security research engineer at security and compliance solution provider Tripwire, in comments emailed to SC Media. “With the rise of cybercrimes offered as a service, it's not surprising to see gamification be included to entice folks to launch their attacks. While a criminal can generate revenue from being hired to launch an attack, there are costs associated with actually launching the attack. Using gamification to lure individuals to launch attacks can reduce the cost of the attack and increase potential profits.”

Surface Defense offers two versions of the Sledgehammer tool, one with a graphic user interface and one that's a fully configurable command-line version. “Both versions use the same DoS… techniques, which leverage application logic to starve targets of compute resource,” the Forcepoint report explains. Both also require participants to officially register with a command-and-control server, which ensures that the recruit is not using more than one machine per account in order to cheat. (The tool also won't run on virtual machines for the same reason.)

The full command-line version of the tool can also attack multiple websites at once, as well as check to verify if an attacked website has been knocked offline, among other features.

What Sledgehammer recruits don't realize, however, is that there's a game within a game: According to Forcepoint, the mastermind behind the DDoS campaign secretly embedded a backdoor in Sledgehammer, hiding it inside a bitmap image using steganography techniques. The backdoor is downloaded in the event a recruit is banned from the DDoS operation, for whatever reason, and allows the mastermind to potentially double-cross gamers.

“We can speculate that users who are banned from the platform may have attempted to either cheat to earn points more quickly, or subvert the ideology of the platform, such as by suggesting inappropriate sites to be added to the list of DDoS targets,” Griffin told SC Media. Griffin said the author could potentially use the backdoor to install malware for financial gain, or to even prank users with the Nightmare scareware.

Through its own forensic research, Forcepoint researchers determined that the IP behind the main Surface Defense Tor site is based in the Turkish city of Eskisehir. They were also able to link Sledgehammer's author/distributor to the handle Mehmet, a username found on two YouTube channels that demonstrate the DDoS tool.

Forcepoint further reported that the DDoS mastermind demonstrates specific knowledge of signals intelligence pertaining to mobile phones, prompting the theory that the individual may work for a Turkish defense contractor that deals in signals intelligence systems.

Forcepoint discovered Sledgehammer in the first place after conducting a search for recently tested viruses on the VirusTotal antivirus aggregator website. Researchers were able to link the tool to a Turkish hacking forum, which led them to the malware author's own Tor-based website that hosts the Surface Defense platform and distributes the Sledgehammer tool.