A new botnet malware called BotenaGo has been discovered in the wild. The malware has the capability to exploit millions of susceptible IoT (Internet of Things) products and routers.
Discovered by AT&T labs, BotenaGo is designed using the Go programming language, which has been gaining popularity of late. Threat actors are using it for making payloads that are harder to detect and reverse engineer.
According to Bleeping Computer, BotenaGo is flagged by only six out of the 62 antivirus engines on VirusTotal, with some falsely identifying it as the Mirai botnet.
The botnet incorporates 33 exploits for a variety of routers, modems, and NAS devices, with some notable examples given below:
- CVE-2015-2051, CVE-2020-9377, CVE-2016-11021: D-Link routers
- CVE-2016-1555, CVE-2017-6077, CVE-2016-6277, CVE-2017-6334: Netgear devices
- CVE-2019-19824: Realtek SDK based routers
- CVE-2017-18368, CVE-2020-9054: Zyxel routers and NAS devices
- CVE-2020-10987: Tenda products
- CVE-2014-2321: ZTE modems
- CVE-2020-8958: Guangzhou 1GE ONU
“To deliver its exploit, the malware first queries the target with a simple “GET” request. It then searches the returned data from the “GET” request with each system signature that was mapped to attack functions,” reads the blog post published by AT&T.
“The string “Server: Boa/0.93.15” is mapped to the function “main_infectFunctionGponFiber,” which attempts to exploit a vulnerable target, allowing the attacker to execute an OS command via a specific web request (CVE-2020-8958).”
The new botnet targets millions of devices with functions that exploit the above flaws, for example querying Shodan for the string Boa, which is a discontinued open-source web server used in embedded applications, and one that still returns nearly two million internet-facing devices on Shodan.
Once installed, the malware will listen on the ports 31412 and 19412, the latter is used to receive the victim IP. Once a connection with information to that port is received, the bot will exploit each vulnerability on that IP address to gain access.
Furthermore, the security researchers didn't discover an active C2 communication between BotenaGo and an actor-controlled server, these are possible scenarios hypothesized by the experts:
1. The malware is part of a multi-stage modular malware attack, and it's not the one responsible for handling communications.
2. BotenaGo is a new tool used by Mirai operators on specific machines that are known to them, with the attacker(s) operating the infected end-point with targets.
3. The malware is still under development and was released in the wild accidentally.
