The new BotenaGo malware botnet was identified attacking millions of IoT devices with over thirty vulnerabilities.
BotenaGo was built in Golang (Go), a programming language that has grown in terms of popularity, with malware authors using it to create payloads that are difficult to detect as well as reverse engineer.
In the instance of BotenaGo, only six of the 62 AV engines on VirusTotal classify the samples as malicious, and several classify it as Mirai.
Millions Of Devices Targeted
BotenaGo includes 33 vulnerabilities for various routers, modems, plus NAS devices, some of which are highlighted below:
- CVE-2015-2051, CVE-2016-11021, CVE-2020-9377: D-Link routers
- CVE-2017-6077, CVE-2016-1555, CVE-2017-6334, CVE-2016-6277: Netgear devices
- CVE-2019-19824: Realtek SDK based routers
- CVE-2020-9054, CVE-2017-18368: Zyxel routers and NAS devices
- CVE-2014-2321: ZTE modems
- CVE-2020-10987: Tenda products
- CVE-2020-8958: Guangzhou 1GE ONU
AT&T scientists that examined the new botnet discovered that targeted millions of machines with features that abuse the mentioned problems.
The search word for Boa, a deprecated open-source web server being used in embedded applications that still yields roughly two million internet-facing computers on Shodan, is given as an example.
Another significant instance is the exploitation of CVE-2020-10173, a command-injection issue in Comtrend VR-3033 gateway devices, that’s still exploitable in 250,000 of them.
When the virus is installed, it will monitor on two ports (19412 and 31412) for an IP address to be supplied to it. When one is acquired, the bot will attempt to obtain access by exploiting every vulnerability on the target IP address.
BotenaGo will use remote shell commands to enlist the system into the botnet after it has gained access.
The virus utilizes various URLs to obtain a matching payload based on which system is targeted.
However, no payloads were there on the hosting server at the time of the analysis, therefore none could be collected for examination.
Furthermore, while the researchers could not discover any active C2 connection between BotenaGo as well as an actor-controlled server, they provide three possible theories for how it works:
- BotenaGo is merely one component (module) in a multi-stage modular malware assault, and it is not in charge of communications.
- BotenaGo is a new technique used by Mirai administrators on specific devices, which is supported by common payload distribution links.
- The virus isn’t ready to be used yet, and a specimen from its early phase of development was mistakenly released into the world.
Summary
To summarise, the presence of BotenaGo in the open is uncommon considering its inadequate operational condition, but its basic capabilities leave little doubt about its designers’ goal.
Luckily, the fresh botnet was discovered early on, and the signs of infiltration are already accessible. Still, as long as there are a plethora of susceptible internet devices to hack, threat actors have an incentive to keep BotenaGo in operation.
