MedusaHTTP DDoS Slithers Back into the Spotlight
MedusaHTTP is a HTTP-based DDoS botnet written in .NET, that surfaced in early 2017. MedusaHTTP is based off of MedusaIRC which leveraged IRC for its command and control communications instead of HTTP. MedusaIRC botnet has been advertised on various underground hacker marketplaces since 2015, while MedusaHTTP started appearing in 2017.
- The alleged seller of MedusaIRC and MedusaHTTP, Stevenking(s) has advertised this botnet family on hacker marketplaces for many years.
- MedusaHTTP has evolved from an IRC botnet to an HTTP botnet. The HTTP components appear to be reused code from the leaked Diamond Fox DDoS botnet.
- MedusaHTTP was observed being distributed by the Rig Exploit Kit by an independent researcher.
MedusaHTTP was discovered after reading an independent researcher’s blog post describing malware distributed by recent Rig exploit kit campaigns. Screenshots of network traffic from one of the malware payloads within the post, caught our attention:
The blog post initially identified the payload responsible for this traffic as AZORult; however, the commands in this traffic suggest DDoS functionality. AZORult is classified as an information stealing trojan which has the primary objective of capturing passwords, financial and personal information from the victim’s system. Samples of this family and campaign objectives are not known to contain DDoS functionality, so this could suggest a major update to the AZORult malware. ASERT obtained the sample linked in the blog post from VirusTotal, and after analysis we believe this file is not AZORult but rather a new version of the DDoS bot known as Medusa.
Enter Medusa – StevenKings’ DDoS botnet kit since 2015
This isn’t the first time ASERT has encountered the Medusa botnet, we previously analyzed the IRC version of Medusa in 2016. In addition, we found references of Medusa being advertised on underground hacker marketplaces dating back to 2015. Advertisements were posted by a user under the name of StevenKings, a sample image of an advertisement is provided below:
As insinuated above, Stevenkings may not be a native English speaker. We believe he or she may be a native Russian speaker based on the origin of their most active forum. In this 2015 advertisement, Stevenkings is selling the IRC version of Medusa for $500 in bitcoin, a cryptocurrency often leveraged in underground marketplaces. Reading further shows descriptions of future commands that will be added to the bot such as, “.httpstrong” which was the string that sparked our attention from the above researcher’s blog post. The advertisement also links to images of the botnet’s throughput, first showing screenshots to prove DDoS rates of 30k requests-per-second:
And then, a screenshot of it generating 3k requests-per-second with only 3 bots.
Higher requests-per-second per bot allows a botnet controller to use less bots for taking down targets. This would mean the botnet controller could infect less victims while still remaining operationally successful.
Medusa Now in HTTP
Our research shows Stevenkings advertising the HTTP version of the Medusa botnet on underground hacker marketplaces in early 2017. The advertisements for this version included images of the HTTP command and control panel which appears to use the code and images from Diamond Fox, another well-known DDoS botnet.
Multiple versions of Diamond Fox botnet have been leaked over the past few years which would make the code reuse feasible for the Medusa malware author. All other portions of the code, except for the HTTP-based command and control communications, remain very similar to the IRC version of the Medusa botnet.
Command and Control Communication
The latest version of MedusaHTTP uses a HTTP-based command and control (C2) communication method as opposed the IRC communication of its predecessor. The initial connection uses a POST request with a static user agent of Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0 sent to the C2. In the POST request payload, the victim bot will send introspection information using a xyz form item. The format of the introspection information payload follows this format:
an example of this would be:
After the check-in command is sent, the C2 will either respond with a HTTP status code 200 as seen below:
or send back one of the following commands:
- .icmp [host] [threads] [delay] [stoptime]
- .httpseebix [www.website.com] [page.php] [threads] [delay] [stoptime]
- .httpoverload [www.website.com] [page.php] [threads] [delay] [stoptime]
- .httpstrong [www.website.com] [page.php] [threads] [delay] [stoptime]
- .httpactive [www.website.com] [page.php] [threads] [delay] [stoptime]
- .httpssl [www.website.com] [page.php] [threads] [delay] [true/false] [stoptime]
- .proxy [www.website.com] [page.php] [webpagewithproxy] [threads] [delay] [stoptime]
- .httppost [www.website.com] [page.php] [postcontent] [threads] [delay] [stoptime]
- .smartflood [GET] [www.website.com] [page.php] [threads] [delay] [stoptime]
- .smartflood [POST] [www.website.com] [page.php] [postcontent] [threads] [delay] [stoptime]
- .syn [host] [port] [sockets] [threads]
- .udp [host] [port] [sockets] [threads] [packetsize]
- .download [http://website.com/exe.exe] [filename] [true/false]
After which the bot will either wait and check-in again at a later time or act on the specific command received.
Stevenkings claims MedusaHTTP is capable of the following:
- .httpssl is made for TLS and SSL websites. Using the TRUE option on httpssl will grab cookies.
- .icmp is a layer 3 flood.
- .httpseebix is custom HTTP GET flood.
- .httpstrong is a fast HTTP flood method.
- .httpactive is a mix of TCP and layer 7.
- .httpoverload can crash certain servers.
- .httpproxy uses proxy servers to execute a DDoS.
- .httppost is a POST flood.
- .httpsmartflood bypasses all cookie protection unless its captcha.
- .syn TCP flood which bypasses OVH.
- .udp is basic UDP flood.
Observed Command Traffic
ASERT observed and was able to capture DDoS and command traffic from a portion of the purported attack types available to MedusaHTTP.
This command sends GET requests using 1 of 12 user agents randomly chosen from a predefined list, similar to the below example:
This command appears to be similar to .httpseebix however this uses only one hardcoded user agent to perform http GET request.
This command appears to be the same as .httpseebix; Stevenkings claims it has the ability to crash certain servers.
This command is advertised as a mixture of TCP and Layer 7 Flooding that has the ability to take down servers. Below you can see the utilization of multiple GET requests with a TCP packet of “0000000” in between them, illustrating this technique.
This command is purported to bypass cookie protection by StevenKings. The POST version of this command takes an additional parameter ‘Payload’ which, in this example, is ‘hello=hello’.
There is also a GET version of this command which looks similar however does not include the POST data.
This command instructs the bot to download and run executables, which could be a bot update or additional malicious files. The method of downloading the executables is a simple HTTP GET request.
This command instructs the bot to stop all active attacks.
MedusaHTTP has evolved from its prior IRC version. Although there is a new command and control communication mechanism, a large amount of functionality overlap remains. Many of the DDoS traffic examples above are exactly the same profile of traffic generated by MedusaIRC and continue to be mitigated in the same way using situationally appropriate firewall ACLs and other countermeasures available in Arbor products including HTTP Authentication, Zombie Detection, and AIF Malware Family Blocking.
Command and Control Domains: