Millions of Routers, IoT Devices at Risk from BotenaGo Malware

BotenaGo, written in Google’s Golang programming language, can exploit more than 30 different vulnerabilities.

Newly surfaced malware that is difficult to detect and written in Google’s open-source programming language has the potential to exploit millions of routers and IoT devices, researchers have found.

Discovered by researchers at AT&T AlienLabs, BotenaGo can exploit more than 30 different vulnerabilities to attack a target, Ofer Caspi, a security researcher at Alien Labs, wrote in a blog post published Thursday.

The malware, which is written in Golang—a language Google first published in 2007–works by creating a backdoor to the device. It then waits to either receive a target to attack from a remote operator through port 19412 or from another related module running on the same machine, he wrote.

Register now for our LIVE event!

Golang, also known as Go, is aimed at simplifying how software is built by making it easy for developers to compile the same code for different systems. This feature may be the reason why it’s caught on with malware developers in the last few years, since it also makes it easier for attackers to spread malware on multiple operating systems, Caspi wrote.

Indeed, research from Intezer, which offers a platform for analyzing malware, suggests that there has been a 2,000 percent increase in malware code written in Go being found in the wild, he wrote.

Researchers said at this time they don’t know which threat actor or actors developed BotenaGo, nor the full scale of devices that are vulnerable to the malware. So far, antivirus protections also don’t seem to recognize the malware, sometimes misidentifying it as a variant of Mirai malware, Caspi wrote.

Setting Up the Attack

BotenaGo commences its work with some exploratory moves to see if a device is vulnerable to attack, Caspi wrote. It starts by initializing global infection counters that will be printed to the screen, informing the attacker about total successful infections. The malware then looks for the ‘dlrs’ folder in which to load shell scripts files. If this folder is missing, BotenaGo stops the infection process.

In its last step before fully engaging, BotenaGo calls the function ‘scannerInitExploits’, “which initiates the malware attack surface by mapping all offensive functions with its relevant string that represent the targeted system,” Caspi wrote.

Register now for our LIVE event!

Once it establishes that a device is vulnerable to attack, BotenaGo proceeds with exploit delivery by first querying the target with a simple “GET” request. It then searches the returned data from the “GET” request with each system signature that was mapped to attack functions.

Researchers detail several possible attacks that can be carried out using this query. In one,  the malware maps the string “Server: Boa/0.93.15” to the function “main_infectFunctionGponFiber,” which attempts to exploit a vulnerable target, Caspi wrote.

This allows the attacker to execute an OS command via a specific web request using a vulnerability tracked as CVE-2020-8958. A SHODAN search turned up nearly 2 million devices that are vulnerable to this type of attack alone, he wrote.

“In total, the malware initiates 33 exploit functions that are ready to infect potential victims,” Caspi wrote. A full list of the vulnerabilities that BotenaGo can exploit is included in the post.

Backdooring Devices to Execute Commands

There are two different ways that the malware can receive commands to target victims, researchers found. One is the create backdoor ports–31421 and 19412—that are used in an attack scenario, Caspi wrote.

“On port 19412 it will listen to receive the victim IP,” he wrote. “Once a connection with information to that port is received, it will loop through mapped exploit functions and execute them with the given IP.”

The second way BotenaGo can receive a target command is by setting a listener to system IO (terminal) user input, getting the command to the device that way, Caspi explained.

“For example, if the malware is running locally on a virtual machine, a command can be sent through telnet,” he wrote.

Dangers to Corporate Network

Given its ability to exploit devices connected over internet ports, BotenaGo can be potentially dangerous to corporate networks by gaining access through vulnerable devices, said one security professional.

“Bad actors, such as those at work here, love to exploit these devices to gain access to the internal networks behind them, or just to use it as a platform from which to launch other attacks,” observed Erich Kron, security awareness advocate at security firm KnowBe4, in an email to Threatpost.

Attackers that can be launched once a hacker takes over a device and piggybacks on the network it’s using include DDoS attacks, which that can lead to extortion of money from victims, he said. Attackers also can host and spread malware using a victim’s internet connection, Kron observed.

Given the number of vulnerabilities of which it can take advantage, BotenaGo also shows the importance of keeping IoT and routers updated with the latest firmware and patches to avoid leaving them available to exploit, he added.

Want to win back control of the flimsy passwords standing between your network and the next cyberattack? Join Darren James, head of internal IT at Specops, and Roger Grimes, data-driven defense evangelist at KnowBe4, to find out how during a free, LIVE Threatpost event, “Password Reset: Claiming Control of Credentials to Stop Attacks,” on Wed., Nov. 17 at 2 p.m. ET. Sponsored by Specops.

Register NOW for the LIVE event and submit questions ahead of time to Threatpost’s Becky Bracken at becky.bracken@threatpost.com.

Suggested articles

Discussion

  • Daniel Hallmark on

    I think the title of this article may be a bit misleading. Just because the language used to create the malware is open-source does not make the malware itself open-source.
  • Hiiiiiiii on

    Ooh amazing, an open source malware (no link to repo though), written in Go, but disguises itself as a simple jQuery animation (picture). Brilliant!! Now get the fuck out of my news feed.
  • Jeffrey Scott on

    This was a great article but very technical. What is the average person supposed to do to combat the plague of cyber attacks. I’d like to see an article that goes over the average day in the life of a 50 something person as the use their devices and what potentially may be happening in the background that they have no clue about. They get up and use their phone to check the news and social media. The use their laptop to log into their bank account and investments. Then they log into their work network for work and work all day. What’s going on in the background and where are the threat actors hiding. What does on do to be safe? That would be very interesting.
  • Pete Riches on

    Please remember that not everyone who reads your headlines will read the article, but when you arbitrarily include the term "open source", the less technically aware among us come away with the mistaken impression that the threat is *because* of open source development. Please don't undermine the credibility of good articles with bad headlines, or miseducate those who don't read the full article.
  • factChecker on

    The title doesn't make much sense
  • Danny on

    This article seems to be all about the source while forgetting to mention what vulnerability is actually being exploited. :/
  • Kris Stark on

    How exactly is this "open source" malware? If you classify it as such because the programming language is open source, then you would have to classify a huge swath of other programs as being open source, since most languages have some kind of open source angle, for example as a compiler. The GNU compilers are open source. Language definitions are open, even if the language compiler may not be. A program written and compiled in an open source language/compiler does not make it open source automatically. If this malware is open source - tell me where I can find the source code...

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.