Momentum: Researchers have discovered new activity from the Momentum botnet including not only the spread of the botnet, but also DDoS activity from affected devices. Momentum has been targeting IoT devices running Linux operating systems which are known to be susceptible to attacks involving botnets, ransomware, and crypto-miners. One of the main purposes of the Momentum botnet is to open backdoors and accept commands from command and control (C2) servers for DDoS attacks. Momentum has been seen distributing Mirai, Kaiten, and Bashlite backdoors, although in this specific wave only Mirai has been seen being distributed. After infecting a targeted device, Momentum achieves persistence by modifying the “rc” files before joining the C2 server and connecting to an internet relay chat (IRC) channel called #HellRoom. The IRC channel #HellRoom is where infected devices are given commands from the botnet operators.
Analyst Notes
Ensuring properly configured security settings on connected devices, especially by securing routers with unique passwords are an important step in defending IoT devices from being exploited. Unfortunately, some connected devices can be very limited in their security settings–favoring operation and connectivity over security. Monitoring for unknown or unusual IRC traffic on the network can be a valuable detection strategy for identifying potential Momentum infections. More details on this can be found at https://blog.trendmicro.com/trendlabs-security-intelligence/ddos-attacks-and-iot-exploits-new-activity-from-momentum-botnet/
