# Momentum Botnet's Newest DDoS Attacks and IoT Exploits **[trendmicro.com/en_us/research/19/l/ddos-attacks-and-iot-exploits-new-activity-from-momentum-botnet.html](https://www.trendmicro.com/en_us/research/19/l/ddos-attacks-and-iot-exploits-new-activity-from-momentum-botnet.html)** December 16, 2019 [We recently found notable malware activity affecting devices running Linux, a platform that has battled numerous issues just this year. Further](https://blog.trendmicro.com/trendlabs-security-intelligence/a-quick-and-efficient-method-for-locating-the-main-function-of-linux-elf-malware-variants/) analysis of retrieved malware samples revealed that these actions were connected to a botnet called Momentum (named for the image found in its communication channel). We found new details on the tools and techniques the botnet is currently using to compromise devices and perform distributed denial-of-service (DDoS) attacks. Momentum targets the Linux platform on various CPU architectures such as ARM, MIPS, Intel, Motorola 68020, and more. The main purpose of this malware is to open a backdoor and accept commands to conduct various types of DoS attacks against a given target. The backdoors being distributed by the Momentum botnet are Mirai, Kaiten, and Bashlite variants; the specific sample we analyzed was pushing a Mirai backdoor. Moreover, Momentum spreads via exploiting multiple vulnerabilities on various routers and web services to download and execute shell scripts on the target devices. **How does Momentum work?** After infecting a device, Momentum attempts to achieve persistence by modifying the “rc” files; then it joins the command and control (C&C) server and connects to an internet relay chat (IRC) channel called #HellRoom to register itself and accept commands. The IRC protocol is the main method of communication with the command and control (C&C) servers. The botnet operators can then control infected systems by sending messages to the IRC channel. ----- gu e te a ected de ce jo s t e attac e s C co a d a d co t o c a e Figure 2. Command and control communication path (downloader/distributer server, IRC server) The distribution server (as seen above) hosts the malware executables. The other server is a C&C server for the botnet. The C&C servers were live as recently as November 18 2019. Once the communication lines are established, Momentum can use various commands to attack using the compromised devices. In particular, Momentum can deploy 36 different methods for DoS, as listed below. **Command** **Description** ACK ACK flooder ADV-TCP TCP flooding - Improved SSYN Attack BLACKNURSE An ICMP packet flooder DNS DNS amplification flooder ECE attacking (Not in use) Type of SYN flood ESSYN ExecuteSpoofedSyn Flooder FIN attacking (Not in use) FIN flood FRAGACK ACK Fragmentation Flood FRAG-TCP Spoofed TCP Fragmentation Flooder GRE GRE flood HOLD (Not in use) TCP connect flooder(frag) HTTP HTTP Flooder HTTPFLOOD HTTP flooding ----- JUNK TCP flooder (frag) LDAP LDAP amplification flooder MEMCACHE MEMCACHE amplification flooder NSACK Type of ACK flood NSSYN Type of SYN flooder OVH Type of UDP flooding (DOMINATE) PHATWONK Multiple attacks in one e.g. xmas, all flags set at once, usyn (urg syn), and any TCP flag combination. RTCP A Random TCP Flooder Fragmented packet header SACK Type of TCP flood SEW Attack Type of SYN flood SSYN2 Type of SYN flood STUDP STD Flooder STUDP STD Flooder SYN SYN flooder SYNACK SYN-ACK flood TCPNULL TCP-Nulled flooding - Flood with TCP packets with no flag set UDP UDP flood UDP-BYPASS A udp flooder (vulnMix) UNKNOWN UDP Flooder URG attacking VOLT-UDP Spoofed UDP Flooder, Can Bypass most firewall VSE Valve Source Engine Amplification XMAS TCP Xmas flood Table 1. Various DoS methods that Momentum is capable of The malware uses known reflection and amplifications methods that have a variety of targets: MEMCACHE, LDAP, DNS and Valve Source Engine. In these types of attack, the malware typically spoofs source IP addresses (the victims) to various services run on publicly accessible servers, provoking a flood of responses to overwhelm the victim’s address. Apart from DoS attacks, we found that Momentum is also capable of other actions: opening a proxy on a port on a specified IP, changing the nick of the client, disabling or enabling packeting from the client, and more. In the section below we will run through the specific attack capabilities of Momentum: **Momentum’s denial-of-service attacks** _LDAP DDoS reflection_ In a LDAP DDoS reflection, the malware spoofed the source IP address of a target system to publicly accessible LDAP servers which causes it to send a larger response to the target. _Memcache attack I_ In a Memcache attack, a remote attacker constructs and sends a malicious UDP request using a spoofed source IP address of a target system to a vulnerable UDP memcached server. The memcached server then sends a significantly large response to the target. Momentum uses an HTTP GET request to download a reflection file—the malware uses the same request for the same purpose in other amplified DoS attacks as well. Based on initial data from Shodan, there are over 42,000 vulnerable memcached servers that can be affected by this type of attack. The Momentum botnet uses the following HTTP GET request to download reflection file: GET / HTTP/1.1 ----- Use ge t o a/ 5 [e ] ( ; U; u 6 3 686) Host: :80 Accept: */* Connection: Keep-Alive _UDP-BYPASS attack_ In a UDP-BYPASS attack, Momentum floods the target host by constructing and unloading a legitimate UDP payload on a specific port. Upon execution of this attack the malware chooses a random port and a corresponding payload, then sends it against the targeted host. The malware uses multi-threading for this attack; each thread takes a port followed by its payload. The following is list of some ports followed by their payload: **Port** **Payload** 500 \x00\x11\x22\x33\x44\x55\x66\x77\x00\x00\x00\x00\x00\x00\x00\x00\x01\x10\x02\x00\x00\x00\x00\x00\x00\x00\x00\xC0\x00\x00\x00\xA4\ 1434 \x02 5353 \x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x09_services\x07_dns-sd\x04_udp\x05local\x00\x00\x0C\x00\x01 8767 xf4\xbe\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x002x\xba\x85\tTeamSpeak\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 9987 \x05\xca\x7f\x16\x9c\x11\xf9\x89\x00\x00\x00\x00\x02\x9d\x74\x8b\x45\xaa\x7b\xef\xb9\x9e\xfe\xad\x08\x19\xba\xcf\x41\xe0\x16\xa2\x32\ 1604 \x1e\x00\x01\x30\x02\xfd\xa8\xe3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 1900 \x4d\x2d\x53\x45\x41\x52\x43\x48\x20\x2a\x20\x48\x54\x54\x50\x2f\x31\x2e\x31\x0D\x0A\x48\x6f\x73\x74\x3a\x32\x33\x39\x2e\x32\x35\x 623 \x06\x00\xff\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x09\x20\x18\xc8\x81\x00\x38\x8e\x04\xb5 626 SNQUERY: 127.0.0.1:AAAAAA:xsvr 1194 8d\xc1x\x01\xb8\x9b\xcb\x8f\0\0\0\0\0 520 \x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 177 \x00\x01\x00\x02\x00\x01\x00 389 \x30\x84\x00\x00\x00\x2d\x02\x01\x07\x63\x84\x00\x00\x00\x24\x04\x00\x0a\x01\x00\x0a\x01\x00\x02\x01\x00\x02\x01\x64\x01\x01\x00\x 161 \x30\x3A\x02\x01\x03\x30\x0F\x02\x02\x4A\x69\x02\x03\x00\xFF\xE3\x04\x01\x04\x02\x01\x03\x04\x10\x30\x0E\x04\x00\x02\x01\x00\x02 53 %getPayload%getPayload\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x03\x77\x77\x77\x06\x67\x6f\x6f\x67\x6c\x65\x03\x63\x6f\x6d\x00\x 7 \x0D\x0A\x0D\x0A 111 \x72\xFE\x1D\x13\x00\x00\x00\x00\x00\x00\x00\x02\x00\x01\x86\xA0\x00\x01\x97\x7C\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 Table 2. Ports and their payloads Most of the scripts seen above are used for service discovery. If they are sent to the target device over a long period of time, denial-of-service may be achieved because they crash a service as a side effect of testing. _Phatwonk attacks_ Phatwonk attacks perform multiple DoS methods at once: XMAS, all flags at once, usyn (urg syn), and any TCP flag combination. **Momentum’s other capabilities** Fruitful attacks are also dependent on other capabilities than outright offense. Usually malware attempt to evade detection, maintain open avenues of communication, and more for a sustained successful campaign. Momentum has other capabilities that help it spread and compromise devices: ----- _ast u_ e o e tu bot et uses t e ast u tec que o de to a e ts co a d a d co t o et o o e es e t ast u network means having multiple IP addresses associated with a domain name and then constantly changing them in quick succession— this is used by attackers to mislead or evade security investigators. _Backdoor. The attacker can send a command (“BASH”, “SHD” or SH commands) to the IRC channel and malware clients will receive and_ execute it on an infected system. The result will be sent back to the same IRC channel where the attacker executed it. _Propagate. Momentum propagates by trying to exploit the vulnerabilities listed in the table below. The particular C&C server that we have_ been investigating has 1,232 victims shown. For other Momentum variants and C&C servers there may be more. **Vulnerability** **Exploit Format** [CCTV-DVR RCE](https://www.exploit-db.com/exploits/39596) [Several vendors](https://www.exploit-db.com/exploits/39596) [ZyXEL Router (appears to be incomplete exploit, similar to this)](https://seclists.org/fulldisclosure/2017/Jan/40) [Huawei Router](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17215) Several vendors: Crestron AM, Barco wePresent WiPG, Extron ShareLink, Teq AV IT, SHARP PN-L703WA, Optoma WPS-Pro, Blackbox HD WPS, InFocus LiteShow Remote [Command Injection (Similar to CVE 2019-3929 and this)](https://www.exploit-db.com/exploits/46786) [D-Link HNAP1](https://dl.packetstormsecurity.net/papers/attack/dlink_hnap_captcha.pdf) ----- [Realtek SDK UPnP SOAP Command Execution](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8361) [GPON80](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10562) [GPON8080](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10562) [GPON443](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10562) [JAWS Webserver unauthenticated shell command execution](https://www.exploit-db.com/exploits/41471) [Vacron NVR RCE](https://vulners.com/openvas/OPENVAS:1361412562310107187) [UPnP SOAP Command Execution (similar to this)](https://www.exploit-db.com/exploits/40740) ----- [THINK-PHP](https://www.exploit-db.com/exploits/46150) [HooTooTripMate RCE](https://www.exploit-db.com/exploits/46143) Table 3. Vulnerabilities and exploits used in propagation **Security recommendations and solutions** Smart and connected devices are prone compromise because of limited security settings and protection options. The devices themselves are [often manufactured with operation in mind, not security. Users should take proactive steps in securing their devices, particularly](https://www.trendmicro.com/vinfo/hk-en/security/news/internet-of-things/the-first-steps-in-effective-iot-device-security) [routers. As](https://www.trendmicro.com/vinfo/tmr/?/us/security/news/home-router) [mentioned above, the Momentum botnet targets Linux devices which are known to be susceptible to attacks involving botnets,](https://blog.trendmicro.com/trendlabs-security-intelligence/aesddos-botnet-malware-infiltrates-containers-via-exposed-docker-apis/) [ransomware](https://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/) [and cryptocurrency miners. However, there are different](https://www.trendmicro.com/vinfo/ph/security/news/cybercrime-and-digital-threats/cryptocurrency-mining-malware-targets-linux-systems-uses-rootkit-for-stealth?_ga=2.76607573.1739751013.1575426438-61030443.1557222425) [ways to protect such devices from attacks.](https://blog.trendmicro.com/trendlabs-security-intelligence/a-quick-and-efficient-method-for-locating-the-main-function-of-linux-elf-malware-variants/) [Trend Micro Home Network Security provides an embedded network security solution that protects all devices connected to a home network](https://www.trendmicro.com/en_us/forHome/products/homenetworksecurity.html) against cyberattacks. Based on Trend Micro’s rich threat research experience and industry-leading deep packet inspection (DPI) technology, Trend Micro Smart Home Network offers intelligent quality of service (iQoS), parental controls, network security, and more. [Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to attacks using exploits and similar threats](https://www.trendmicro.com/en_us/business/products/network/advanced-threat-protection/inspector.html) [through specialized engines, custom sandboxing, and seamless correlation across the entire attack life cycle, allowing it to detect these kinds](https://blog.trendmicro.com/trendlabs-security-intelligence/deploying-a-smart-sandbox-for-unknown-threats-and-zero-day-attacks/) [of attacks even without engine or pattern updates. These solutions are powered by XGen™ security, which provides a cross-generational](https://www.trendmicro.com/en_us/business/products/all-solutions.html) [blend of threat defense techniques against a full range of threats for data centers,](https://www.trendmicro.com/en_us/business/products/hybrid-cloud/security-data-center-virtualization.html) [cloud environments,](https://www.trendmicro.com/en_us/business/products/hybrid-cloud.html) [networks, and](https://www.trendmicro.com/en_us/business/products/network.html) [endpoints. Smart,](https://www.trendmicro.com/en_us/business/products/user-protection/sps/endpoint.html) optimized, and connected, XGen powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense. **Indicator of Compromise** **SHA-256** **Detection** 3c6d31b289c46b98be7908acd84086653a0774206b3310e0ea4e6779e1ff4124 Trojan.Linux.MIRAI.SMMR1 -----