MegaMedusa, Highly Scalable Web DDoS Attack Tool Used By Hacker Groups

RipperSec, a pro-Palestinian, pro-Muslim Malaysian hacktivist group, has rapidly grown since its Telegram inception in June 2023. 

Leveraging a community of over 2,000 members, they conduct cyberattacks, including data breaches, defacements, and DDoS attacks, and their primary tool is MegaMedusa, which is a publicly accessible, easily deployable DDoS tool employing 10 randomization techniques to evade detection. 

While lacking advanced CAPTCHA-solving capabilities, MegaMedusa’s simplicity, combined with RipperSec’s large, motivated community, poses a significant cyber threat. 

RipperSec, a cyber threat actor, claimed responsibility for 196 DDoS attacks between January and August 2024, primarily targeting Israel, India, the US, the UK, and Thailand.

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

Government and educational websites were the primary targets, followed by business, society, and the financial sector.

The group leverages MegaMedusa, a publicly available Node.js-based DDoS tool, to execute attacks. 

MegaMedusa’s obfuscated JavaScript code, when deobfuscated, reveals a command-line tool capable of handling numerous concurrent network connections efficiently, making it a potent weapon in the DDoS arsenal. 

It is a readily accessible command-line DDoS tool that employs a Node.js runtime for rapid deployment and execution by leveraging extensive randomization techniques to obfuscate attack traffic, including header manipulation, URL modification, and IP spoofing. 

By randomizing user agents, request paths, methods, cookies, and IP addresses, MegaMedusa effectively evades detection by WAFs and other security measures while also distributing attack traffic via open proxies. 

Despite the author’s coding proficiency, MegaMedusa supports open proxies but lacks authentication for commercial and private proxies. 

While providing basic proxy scraping and rudimentary CAPTCHA evasion techniques, the tool falls short of advanced CAPTCHA bypassing, which relies on random HTTP headers for challenge evasion, which is ineffective against modern security measures. 

It lacks CAPTCHA-solving capabilities and fails to find origin server IP addresses, limiting its ability to bypass sophisticated protections.

While this version utilizes proxies for request obfuscation and evasion, RipperSec members likely possess more sophisticated custom tools, as evidenced by internal screenshots. 

MegaMedusa implements proxy support natively, eschewing third-party libraries for greater 

control over connections, which indicates a higher level of technical proficiency within the group and suggests that the publicly available tool may represent a simplified version of their capabilities. 

HTTP protocol advancements like pipelining and multiplexing, designed to enhance performance, have inadvertently empowered attackers, allowing for efficient, high-volume requests, while vulnerabilities like HTTPS/2 Rapid Reset and HTTP/2 Continuation amplify their impact. 

Open and commercial proxies, often utilizing compromised residential infrastructure, further obfuscate attacks and evade detection, which collectively contribute to the increasing sophistication and effectiveness of DDoS attacks. 

According to Radware, advanced DDoS attackers employ a hybrid infrastructure combining botnets for distributed attacks and cloud-based resources for scalability and evasion. 

Botnets, often leveraging compromised IoT devices, facilitate attacks like DNS water torture and PRSD, exploiting trust relationships.

Cloud-based infrastructure, including bulletproof hosting, provides anonymity and operational efficiency. 

Attackers obfuscate attack origins using IP spoofing, proxies, and Tor while transitioning from IoT botnets to cloud-based platforms for better management and resilience.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces