Millions of Routers, IoT Devices at Risk from BotenaGo Malware

BotenaGo, written in Google’s Golang programming language, can exploit more than 30 different vulnerabilities.

Newly surfaced malware that is difficult to detect and written in Google’s open-source programming language has the potential to exploit millions of routers and IoT devices, researchers have found.

Discovered by researchers at AT&T AlienLabs, BotenaGo can exploit more than 30 different vulnerabilities to attack a target, Ofer Caspi, a security researcher at Alien Labs, wrote in a blog post published Thursday.

The malware, which is written in Golang—a language Google first published in 2007–works by creating a backdoor to the device. It then waits to either receive a target to attack from a remote operator through port 19412 or from another related module running on the same machine, he wrote.

Register now for our LIVE event!

Golang, also known as Go, is aimed at simplifying how software is built by making it easy for developers to compile the same code for different systems. This feature may be the reason why it’s caught on with malware developers in the last few years, since it also makes it easier for attackers to spread malware on multiple operating systems, Caspi wrote.

Indeed, research from Intezer, which offers a platform for analyzing malware, suggests that there has been a 2,000 percent increase in malware code written in Go being found in the wild, he wrote.

Researchers said at this time they don’t know which threat actor or actors developed BotenaGo, nor the full scale of devices that are vulnerable to the malware. So far, antivirus protections also don’t seem to recognize the malware, sometimes misidentifying it as a variant of Mirai malware, Caspi wrote.

Setting Up the Attack

BotenaGo commences its work with some exploratory moves to see if a device is vulnerable to attack, Caspi wrote. It starts by initializing global infection counters that will be printed to the screen, informing the attacker about total successful infections. The malware then looks for the ‘dlrs’ folder in which to load shell scripts files. If this folder is missing, BotenaGo stops the infection process.

In its last step before fully engaging, BotenaGo calls the function ‘scannerInitExploits’, “which initiates the malware attack surface by mapping all offensive functions with its relevant string that represent the targeted system,” Caspi wrote.

Register now for our LIVE event!

Once it establishes that a device is vulnerable to attack, BotenaGo proceeds with exploit delivery by first querying the target with a simple “GET” request. It then searches the returned data from the “GET” request with each system signature that was mapped to attack functions.

Researchers detail several possible attacks that can be carried out using this query. In one,  the malware maps the string “Server: Boa/0.93.15” to the function “main_infectFunctionGponFiber,” which attempts to exploit a vulnerable target, Caspi wrote.

This allows the attacker to execute an OS command via a specific web request using a vulnerability tracked as CVE-2020-8958. A SHODAN search turned up nearly 2 million devices that are vulnerable to this type of attack alone, he wrote.

“In total, the malware initiates 33 exploit functions that are ready to infect potential victims,” Caspi wrote. A full list of the vulnerabilities that BotenaGo can exploit is included in the post.

Backdooring Devices to Execute Commands

There are two different ways that the malware can receive commands to target victims, researchers found. One is the create backdoor ports–31421 and 19412—that are used in an attack scenario, Caspi wrote.

“On port 19412 it will listen to receive the victim IP,” he wrote. “Once a connection with information to that port is received, it will loop through mapped exploit functions and execute them with the given IP.”

The second way BotenaGo can receive a target command is by setting a listener to system IO (terminal) user input, getting the command to the device that way, Caspi explained.

“For example, if the malware is running locally on a virtual machine, a command can be sent through telnet,” he wrote.

Dangers to Corporate Network

Given its ability to exploit devices connected over internet ports, BotenaGo can be potentially dangerous to corporate networks by gaining access through vulnerable devices, said one security professional.

“Bad actors, such as those at work here, love to exploit these devices to gain access to the internal networks behind them, or just to use it as a platform from which to launch other attacks,” observed Erich Kron, security awareness advocate at security firm KnowBe4, in an email to Threatpost.

Attackers that can be launched once a hacker takes over a device and piggybacks on the network it’s using include DDoS attacks, which that can lead to extortion of money from victims, he said. Attackers also can host and spread malware using a victim’s internet connection, Kron observed.

Given the number of vulnerabilities of which it can take advantage, BotenaGo also shows the importance of keeping IoT and routers updated with the latest firmware and patches to avoid leaving them available to exploit, he added.

Want to win back control of the flimsy passwords standing between your network and the next cyberattack? Join Darren James, head of internal IT at Specops, and Roger Grimes, data-driven defense evangelist at KnowBe4, to find out how during a free, LIVE Threatpost event, “Password Reset: Claiming Control of Credentials to Stop Attacks,” on Wed., Nov. 17 at 2 p.m. ET. Sponsored by Specops.

Register NOW for the LIVE event and submit questions ahead of time to Threatpost’s Becky Bracken at becky.bracken@threatpost.com.

Suggested articles