Researchers at AT&T Alien Labs have discovered a new botnet malware, which uses more than 30 exploits to target routers and IoT devices.
Dubbed “BotenaGo” the malware is written in Golang (Go) and currently has low antivirus detection rate - only 6 fr om 62 AV engines on VirusTotal flag the samples as malicious, with some of them detecting the new malware as Mirai. However, the researchers note, there is a difference between Mirai and BotenaGo, namely, the two malware families are written in different programming languages and have different DDoS functionality.
“The new malware strains Alien Labs has discovered do not have the same attack functions as Mirai malware, and the new strains only look for vulnerable systems to spread its payload. In addition, Mirai uses a “XOR table” to hold its strings and other data, as well as to decrypt them when needed — this is not the case for the new malware using Go. For this reason, Alien Labs believes this threat is new, and we have named it BotenaGo,” the researchers explained in their report.
The BotenaGo malware incorporates 33 exploits for a variety of routers, modems, and NAS devices, such as CVE-2020-9054 (Zyxel NAS), CVE-2020-10987 (Tenda products), CVE-2020-8515 (Draytek Vigor routers), CVE-2018-10561 and CVE-2018-10562 (Dasan GPON routers), CVE-2015-2051 (D-Link routers), to name a few.
Once installed, the malware will listen on two ports (31412 and 19412), wh ere it waits for an IP address to be sent to it. Once one is received, the bot will exploit each vulnerability on that IP address to gain access.
“As payload, BotenaGo will execute remote shell commands on devices in which the vulnerability has been successfully exploited. Depending on the infected system, the malware uses different links, each with a different payload. At time of analysis, all the payloads had been removed from the hosted servers by the attacker(s), and so Alien Labs could not analyze any of them,” the researchers said.
Alien Labs researchers didn’t find any active command-and-control communication between BotenaGo and its C&C server, but they have some theories on how the malware is being operated:
1.The malware is part of a "malware suite" and BotenaGo is only one module of infection in an attack. In this case, there should be another module either operating BotenaGo (by sending targets) or just updating the C&C with a new victim’s IP.
2.The links used for the payload on a successful attack imply a connection with Mirai malware. It could be the BotenaGo is a new tool used by Mirai operators on specific machines that are known to them, with the attacker(s) operating the infected end-point with targets.
3. This malware is still in beta phase and has been accidently leaked.
“Malware authors continue to create new techniques for writing malware and upgrading its capabilities. In this case, new malware writing in Golang can run as a botnet on different OS platforms with small modifications,” the researchers concluded.