{
	"id": "bb065ea6-0036-4fb2-8464-d7a778696e28",
	"created_at": "2026-04-06T02:11:09.572448Z",
	"updated_at": "2026-04-10T13:12:25.230112Z",
	"deleted_at": null,
	"sha1_hash": "77d83c87a7b8a0d1c8c7b18a0930dd2b52984245",
	"title": "Momentum Botnet's Newest DDoS Attacks and IoT Exploits",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 628279,
	"plain_text": "Momentum Botnet's Newest DDoS Attacks and IoT Exploits\r\nBy Aliakbar Zahravi ( words)\r\nPublished: 2019-12-16 · Archived: 2026-04-06 01:38:08 UTC\r\nWe recently found notable malware activity affecting devices running Linux, a platform that has battled numerous\r\nissuesopen on a new tab just this year. Further analysis of retrieved malware samples revealed that these actions were\r\nconnected to a botnet called Momentum (named for the image found in its communication channel). We found new details\r\non the tools and techniques the botnet is currently using to compromise devices and perform distributed denial-of-service\r\n(DDoS) attacks.\r\nMomentum targets the Linux platform on various CPU architectures such as ARM, MIPS, Intel, Motorola 68020, and more.\r\nThe main purpose of this malware is to open a backdoor and accept commands to conduct various types of DoS attacks\r\nagainst a given target. The backdoors being distributed by the Momentum botnet are Mirai, Kaiten, and Bashlite variants;\r\nthe specific sample we analyzed was pushing a Mirai backdoor. Moreover, Momentum spreads via exploiting multiple\r\nvulnerabilities on various routers and web services to download and execute shell scripts on the target devices.\r\nHow does Momentum work?\r\nAfter infecting a device, Momentum attempts to achieve persistence by modifying the “rc” files; then it joins the command\r\nand control (C\u0026C) server and connects to an internet relay chat (IRC) channel called #HellRoom to register itself and accept\r\ncommands. The IRC protocol is the main method of communication with the command and control (C\u0026C) servers. The\r\nbotnet operators can then control infected systems by sending messages to the IRC channel.\r\nFigure 1. After an infected device joins the attackers IRC command and control channel\r\nhttps://www.trendmicro.com/en_us/research/19/l/ddos-attacks-and-iot-exploits-new-activity-from-momentum-botnet.html\r\nPage 1 of 7\n\nFigure 2. Command and control communication path (downloader/distributer server, IRC server)\r\nThe distribution server (as seen above) hosts the malware executables. The other server is a C\u0026C server for the botnet. The\r\nC\u0026C servers were live as recently as November 18 2019.\r\nOnce the communication lines are established, Momentum can use various commands to attack using the compromised\r\ndevices. In particular, Momentum can deploy 36 different methods for DoS, as listed below.\r\nCommand Description\r\nACK ACK flooder\r\nADV-TCP TCP flooding - Improved SSYN Attack\r\nBLACKNURSE An ICMP packet flooder\r\nDNS DNS amplification flooder\r\nECE attacking (Not in\r\nuse)\r\nType of SYN flood\r\nESSYN ExecuteSpoofedSyn Flooder\r\nFIN attacking (Not in\r\nuse)\r\nFIN flood\r\nFRAGACK ACK Fragmentation Flood\r\nFRAG-TCP Spoofed TCP Fragmentation Flooder\r\nGRE GRE flood\r\nHOLD (Not in use) TCP connect flooder(frag)\r\nHTTP HTTP Flooder\r\nHTTPFLOOD HTTP flooding\r\nJUNK TCP flooder (frag)\r\nLDAP LDAP amplification flooder\r\nMEMCACHE MEMCACHE amplification flooder\r\nNSACK Type of ACK flood\r\nNSSYN Type of SYN flooder\r\nOVH Type of UDP flooding (DOMINATE)\r\nhttps://www.trendmicro.com/en_us/research/19/l/ddos-attacks-and-iot-exploits-new-activity-from-momentum-botnet.html\r\nPage 2 of 7\n\nPHATWONK Multiple attacks in one e.g. xmas, all flags set at once, usyn (urg syn), and any TCP flag\r\ncombination.\r\nRTCP A Random TCP Flooder Fragmented packet header\r\nSACK Type of TCP flood\r\nSEW Attack Type of SYN flood\r\nSSYN2 Type of SYN flood\r\nSTUDP STD Flooder\r\nSTUDP STD Flooder\r\nSYN SYN flooder\r\nSYNACK SYN-ACK flood\r\nTCPNULL TCP-Nulled flooding - Flood with TCP packets with no flag set\r\nUDP UDP flood\r\nUDP-BYPASS A udp flooder (vulnMix)\r\nUNKNOWN UDP Flooder\r\nURG attacking -\r\nVOLT-UDP Spoofed UDP Flooder, Can Bypass most firewall\r\nVSE Valve Source Engine Amplification\r\nXMAS TCP Xmas flood\r\nTable 1. Various DoS methods that Momentum is capable of\r\nThe malware uses known reflection and amplifications methods that have a variety of targets: MEMCACHE, LDAP, DNS\r\nand Valve Source Engine. In these types of attack, the malware typically spoofs source IP addresses (the victims) to various\r\nservices run on publicly accessible servers, provoking a flood of responses to overwhelm the victim’s address.\r\nApart from DoS attacks, we found that Momentum is also capable of other actions: opening a proxy on a port on a specified\r\nIP, changing the nick of the client, disabling or enabling packeting from the client, and more. In the section below we will\r\nrun through the specific attack capabilities of Momentum:\r\nMomentum’s denial-of-service attacks\r\nLDAP DDoS reflection\r\nIn a LDAP DDoS reflection, the malware spoofed the source IP address of a target system to publicly accessible LDAP\r\nservers which causes it to send a larger response to the target.\r\nMemcache attack I\r\nIn a Memcache attack, a remote attacker constructs and sends a malicious UDP request using a spoofed source IP address of\r\na target system to a vulnerable UDP memcached server. The memcached server then sends a significantly large response to\r\nthe target. Momentum uses an HTTP GET request to download a reflection file—the malware uses the same request for the\r\nsame purpose in other amplified DoS attacks as well.\r\nBased on initial data from Shodan, there are over 42,000 vulnerable memcached servers that can be affected by this type of\r\nattack.\r\nThe Momentum botnet uses the following HTTP GET request to download reflection file:\r\nGET / HTTP/1.1\r\nUser-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686)\r\nHost: \u003cHOST_Address\u003e:80\r\nAccept: */*\r\nConnection: Keep-Alive\r\nUDP-BYPASS attack\r\nhttps://www.trendmicro.com/en_us/research/19/l/ddos-attacks-and-iot-exploits-new-activity-from-momentum-botnet.html\r\nPage 3 of 7\n\nIn a UDP-BYPASS attack, Momentum floods the target host by constructing and unloading a legitimate UDP payload on a\r\nspecific port. Upon execution of this attack the malware chooses a random port and a corresponding payload, then sends it\r\nagainst the targeted host. The malware uses multi-threading for this attack; each thread takes a port followed by its payload.\r\nThe following is list of some ports followed by their payload:\r\nPort Payload\r\n500 \\x00\\x11\\x22\\x33\\x44\\x55\\x66\\x77\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x10\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xC0\\x00\\x00\\x00\\xA4\\\r\n1434 \\x02\r\n5353 \\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x09_services\\x07_dns-sd\\x04_udp\\x05local\\x00\\x00\\x0C\\x00\\x01\r\n8767 xf4\\xbe\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x002x\\xba\\x85\\tTeamSpeak\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\r\n9987 \\x05\\xca\\x7f\\x16\\x9c\\x11\\xf9\\x89\\x00\\x00\\x00\\x00\\x02\\x9d\\x74\\x8b\\x45\\xaa\\x7b\\xef\\xb9\\x9e\\xfe\\xad\\x08\\x19\\xba\\xcf\\x41\\xe0\\x16\\xa2\\x32\\\r\n1604 \\x1e\\x00\\x01\\x30\\x02\\xfd\\xa8\\xe3\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\r\n1900 \\x4d\\x2d\\x53\\x45\\x41\\x52\\x43\\x48\\x20\\x2a\\x20\\x48\\x54\\x54\\x50\\x2f\\x31\\x2e\\x31\\x0D\\x0A\\x48\\x6f\\x73\\x74\\x3a\\x32\\x33\\x39\\x2e\\x32\\x35\\x\r\n623 \\x06\\x00\\xff\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x09\\x20\\x18\\xc8\\x81\\x00\\x38\\x8e\\x04\\xb5\r\n626 SNQUERY: 127.0.0.1:AAAAAA:xsvr\r\n1194 8d\\xc1x\\x01\\xb8\\x9b\\xcb\\x8f\\0\\0\\0\\0\\0\r\n520 \\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\r\n177 \\x00\\x01\\x00\\x02\\x00\\x01\\x00\r\n389 \\x30\\x84\\x00\\x00\\x00\\x2d\\x02\\x01\\x07\\x63\\x84\\x00\\x00\\x00\\x24\\x04\\x00\\x0a\\x01\\x00\\x0a\\x01\\x00\\x02\\x01\\x00\\x02\\x01\\x64\\x01\\x01\\x00\\x\r\n161 \\x30\\x3A\\x02\\x01\\x03\\x30\\x0F\\x02\\x02\\x4A\\x69\\x02\\x03\\x00\\xFF\\xE3\\x04\\x01\\x04\\x02\\x01\\x03\\x04\\x10\\x30\\x0E\\x04\\x00\\x02\\x01\\x00\\x02\r\n53 %getPayload%getPayload\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x77\\x77\\x77\\x06\\x67\\x6f\\x6f\\x67\\x6c\\x65\\x03\\x63\\x6f\\x6d\\x00\\x0\r\n7 \\x0D\\x0A\\x0D\\x0A\r\n111 \\x72\\xFE\\x1D\\x13\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x01\\x86\\xA0\\x00\\x01\\x97\\x7C\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\r\nTable 2. Ports and their payloads\r\nMost of the scripts seen above are used for service discovery. If they are sent to the target device over a long period of time,\r\ndenial-of-service may be achieved because they crash a service as a side effect of testing.\r\nPhatwonk attacks\r\nPhatwonk attacks perform multiple DoS methods at once: XMAS, all flags at once, usyn (urg syn), and any TCP flag\r\ncombination.\r\nMomentum’s other capabilities\r\nFruitful attacks are also dependent on other capabilities than outright offense. Usually malware attempt to evade detection,\r\nmaintain open avenues of communication, and more for a sustained successful campaign.\r\nMomentum has other capabilities that help it spread and compromise devices:\r\nFast flux. The Momentum botnet uses the fast flux technique in order to make its command and control network\r\nmore resilient. A fast flux network means having multiple IP addresses associated with a domain name and then\r\nconstantly changing them in quick succession—this is used by attackers to mislead or evade security investigators.\r\nBackdoor. The attacker can send a command (“BASH”, “SHD” or SH commands) to the IRC channel and malware\r\nclients will receive and execute it on an infected system. The result will be sent back to the same IRC channel where\r\nthe attacker executed it.\r\nPropagate. Momentum propagates by trying to exploit the vulnerabilities listed in the table below. The particular\r\nC\u0026C server that we have been investigating has 1,232 victims shown. For other Momentum variants and C\u0026C\r\nservers there may be more.\r\nVulnerability  Exploit Format\r\nhttps://www.trendmicro.com/en_us/research/19/l/ddos-attacks-and-iot-exploits-new-activity-from-momentum-botnet.html\r\nPage 4 of 7\n\nCCTV-DVR RCEopen on a new tab Several vendorsopen on a new tab  \r\nZyXEL Router (appears to be incomplete exploit, similar to thisopen on a\r\nnew tab)  \r\nHuawei Routeropen on a new tab  \r\n \r\n  Several vendors: Crestron AM, Barco wePresent WiPG, Extron\r\nShareLink, Teq AV IT, SHARP PN-L703WA, Optoma WPS-Pro, Blackbox\r\nHD WPS, InFocus LiteShow  Remote Command Injection   (Similar to\r\nCVE 2019-3929 and thisopen on a new tab)\r\nD-Link HNAP1open on a new tab  \r\nRealtek SDK UPnP SOAP Command Executionopen on a new tab  \r\nGPON80open on a new tab  \r\nGPON8080open on a new tab  \r\nGPON443open on a new tab  \r\nhttps://www.trendmicro.com/en_us/research/19/l/ddos-attacks-and-iot-exploits-new-activity-from-momentum-botnet.html\r\nPage 5 of 7\n\nJAWS Webserver unauthenticated shell command execution\r\nVacron NVR RCE\r\nUPnP SOAP Command Execution (similar to thisopen on a new tab)\r\nTHINK-PHPopen on a new tab\r\n \r\n \r\nHooTooTripMate RCEopen on a new tab\r\n \r\nTable 3. Vulnerabilities and exploits used in propagation\r\nSecurity recommendations and solutions\r\nSmart and connected devices are prone compromise because of limited security settings and protection options. The devices\r\nthemselves are often manufactured with operation in mind, not security. Users should take proactive steps in securing their\r\ndevicesopen on a new tab, particularly routersopen on a new tab. As mentioned above, the Momentum botnet targets Linux\r\ndevices which are known to be susceptible to attacks involving botnetsopen on a new tab, ransomwareopen on a new tab and\r\ncryptocurrency minersopen on a new tab. However, there are different ways to protect such devicesopen on a new tab from\r\nattacks.\r\nTrend Micro Home Network Securityproducts provides an embedded network security solution that protects all devices\r\nconnected to a home network against cyberattacks. Based on Trend Micro’s rich threat research experience and industry-leading deep packet inspection (DPI) technology, Trend Micro Smart Home Network offers intelligent quality of service\r\n(iQoS), parental controls, network security, and more.\r\nTrend Micro™ Deep Discovery™open on a new tab provides detection, in-depth analysis, and proactive response to attacks\r\nusing exploits and similar threats through specialized engines, custom sandboxingopen on a new tab, and seamless\r\ncorrelation across the entire attack life cycle, allowing it to detect these kinds of attacks even without engine or pattern\r\nupdates. These solutions are powered by XGen™ securityproducts, which provides a cross-generational blend of threat\r\ndefense techniques against a full range of threats for data centersopen on a new tab, cloud environmentsproducts,\r\nnetworksopen on a new tab, and endpointsopen on a new tab. Smart, optimized, and connected, XGen powers Trend Micro’s\r\nsuite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.\r\nIndicator of Compromise\r\nhttps://www.trendmicro.com/en_us/research/19/l/ddos-attacks-and-iot-exploits-new-activity-from-momentum-botnet.html\r\nPage 6 of 7\n\nSHA-256 Detection\r\n3c6d31b289c46b98be7908acd84086653a0774206b3310e0ea4e6779e1ff4124 Trojan.Linux.MIRAI.SMMR1\r\nSource: https://www.trendmicro.com/en_us/research/19/l/ddos-attacks-and-iot-exploits-new-activity-from-momentum-botnet.html\r\nhttps://www.trendmicro.com/en_us/research/19/l/ddos-attacks-and-iot-exploits-new-activity-from-momentum-botnet.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/19/l/ddos-attacks-and-iot-exploits-new-activity-from-momentum-botnet.html"
	],
	"report_names": [
		"ddos-attacks-and-iot-exploits-new-activity-from-momentum-botnet.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775441469,
	"ts_updated_at": 1775826745,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/77d83c87a7b8a0d1c8c7b18a0930dd2b52984245.pdf",
		"text": "https://archive.orkl.eu/77d83c87a7b8a0d1c8c7b18a0930dd2b52984245.txt",
		"img": "https://archive.orkl.eu/77d83c87a7b8a0d1c8c7b18a0930dd2b52984245.jpg"
	}
}