Friday, May 24, 2024

Momentum Botnet Attacks Linux Devices and Recruit them as Botnet to Launch DDoS Attacks Using 36 Different Methods

Security researchers from Trend Micro observed a new malware activity targeting devices running the Linux platform, the malware samples found to be connected with Momentum Botnet.

The malware campaign targets to install a backdoor on the Linux platform that accepts commands from attackers server to conduct various types of DoS attacks against a given target.

Momentum Botnet Attack Campaign

The Momentum botnet targets the Linux platform running on various CPU architectures such as ARM, MIPS, Intel, Motorola 68020, and more. Mirai, Kaiten, and Bashlite are the backdoor variants distributed by the Momentum botnet.

The botnet exploits various vulnerabilities on the targeted router devices and web services to deploy and execute PowerShell scripts.

Momentum Botnet
Botnet servers

Once the botnet infects the device it modified run commands config file “rc” and adds them to command and control (C&C) server through internet relay chat (IRC) channel.

Then the infected device gets connected with the distribution server, it uses various commands to launch 36 different methods using the compromised devices.

ACKACK flooder
ADV-TCPTCP flooding – Improved SSYN Attack
BLACKNURSEAn ICMP packet flooder
DNSDNS amplification flooder
ECE attacking (Not in use)Type of SYN flood
ESSYNExecuteSpoofedSyn Flooder
FIN attacking (Not in use)FIN flood
FRAGACKACK Fragmentation Flood
FRAG-TCPSpoofed TCP Fragmentation Flooder
GREGRE flood
HOLD (Not in use)TCP connect flooder(frag)
JUNKTCP flooder (frag)
LDAPLDAP amplification flooder
MEMCACHEMEMCACHE amplification flooder
NSACKType of ACK flood
NSSYNType of SYN flooder
OVHType of UDP flooding (DOMINATE)
PHATWONKMultiple attacks in one e.g. xmas, all flags set at once, usyn (urg syn), and any TCP flag combination.
RTCPA Random TCP Flooder Fragmented packet header
SACKType of TCP flood
SEW AttackType of SYN flood
SSYN2Type of SYN flood
SYNSYN flooder
TCPNULLTCP-Nulled flooding – Flood with TCP packets with no flag set
UDPUDP flood
UDP-BYPASSA udp flooder (vulnMix)
URG attacking
VOLT-UDPSpoofed UDP Flooder, Can Bypass most firewall
VSEValve Source Engine Amplification
XMASTCP Xmas flood

Researchers observed that with MEMCACHE, LDAP, DNS, and Valve Source Engine, the malware attack typically spoofs the source IP address to publicly accessible servers.

The botnet is also capable of “opening a proxy on a port on a specified IP, changing the nick of the client, disabling or enabling packeting from the client, and more.”

With LDAP DDoS reflection, Memcache attack the botnet spoofs the source IP address and with UDP-BYPASS attack targets the host by constructing and unloading a legitimate UDP payload on a specific port.

The Momentum botnet includes other capabilities such as Fast flux, Backdoor and Propagate to spread and compromise devices.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates


Latest articles

Hackers Weaponizing Microsoft Access Documents To Execute Malicious Program

In multiple aggressive phishing attempts, the financially motivated organization UAC-0006 heavily targeted Ukraine, utilizing...

Microsoft Warns Of Storm-0539’s Aggressive Gift Card Theft

Gift cards are attractive to hackers since they provide quick monetization for stolen data...

Kinsing Malware Attacking Apache Tomcat Server With Vulnerabilities

The scalability and flexibility of cloud platforms recently boosted the emerging trend of cryptomining...

NSA Releases Guidance On Zero Trust Maturity To Secure Application From Attackers

Zero Trust Maturity measures the extent to which an organization has adopted and implemented...

Chinese Hackers Stay Hidden On Military And Government Networks For Six Years

Hackers target military and government networks for varied reasons, primarily related to spying, which...

DNSBomb : A New DoS Attack That Exploits DNS Queries

A new practical and powerful Denial of service attack has been discovered that exploits...

Malicious PyPI & NPM Packages Attacking MacOS Users

Cybersecurity researchers have identified a series of malicious software packages targeting MacOS users.These...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles