Security researchers have discovered a new malware botnet named BotenaGo that uses over thirty exploits to attack millions of routers and IoT devices.
BotenaGo, written in Golang (Go) has gained popularity in recent years which is used for making payloads that are harder to detect and reverse engineer. It has a low antivirus (AV) detection rate (6/62).
BotenaGo incorporates 33 exploits for a variety of routers, modems, and NAS devices and some of the notable examples are:
- CVE-2015-2051, CVE-2020-9377, CVE-2016-11021: D-Link routers
- CVE-2016-1555, CVE-2017-6077, CVE-2016-6277, CVE-2017-6334: Netgear devices
- CVE-2019-19824: Realtek SDK based routers
- CVE-2017-18368, CVE-2020-9054: Zyxel routers and NAS devices
- CVE-2020-10987: Tenda products
- CVE-2014-2321: ZTE modems
- CVE-2020-8958: Guangzhou 1GE ONU
The new botnet was analyzed by the researchers at AT&T who found that it targets millions of devices with functions that exploit the above flaws.
When installed, the malware will listen on two ports (31412 and 19412), where it waits for an IP address to be sent to it. Once one is received, the bot will exploit each vulnerability on that IP address to gain access.
On getting access BotenaGo will execute remote shell commands to recruit the device into the botnet. Depending on the device targeted, the malware uses different links to fetch a matching payload.
The researchers could not find an active C2 communication between BotenaGo and an actor-controlled server. They provide three possible scenarios on its operation
- BotenaGo is only one part (module) of a multi-stage modular malware attack, and it’s not the one responsible for handling communications.
- BotenaGo is a new tool used by Mirai operators on certain machines, a scenario that is backed by common payload dropping links.
- The malware isn’t ready to operate yet, and a sample from its early development phase leaked in the wild accidentally.
As the new botnet has been spotted early, the indicators of compromise are already available. But since there are numerous vulnerable online devices to exploit, the researchers speculate the malware could be enhanced integrating new exploits.