A novel malware botnet was found that recruits devices into DDoS (distributed denial of service) swarms with the potential for significant attacks against Realtek SDK, Huawei routers, and Hadoop YARN servers. Researchers at Akamai detected the new botnet at the beginning of the year. They captured it on their HTTP and SSH honeypots, where they saw it abusing outdated security vulnerabilities including CVE-2014-8361 and CVE-2017-17215.
When HinataBot first surfaced in mid-January 2023, Akamai notes that HinataBot’s operators were distributing Mirai binaries. It is a Go-based variation of the infamous strain and appears to be based on Mirai. According to Akamai’s experts, who were able to collect several samples from active campaigns as recently as March 2023, the malware is now being actively developed, with functional enhancements and anti-analysis features.
The malware is spread by brute-forcing SSH endpoints or exploiting known flaws using infection scripts and RCE payloads. After infecting targets, the malware will operate stealthily while awaiting instructions from the command-and-control server. Akamai’s analysts built their own C2 and interacted with simulated infections to set up HinataBot for DDoS assaults. This allowed them to watch the malware in operation and deduce its attack capabilities.
HinataBot’s earlier versions supported HTTP, ICMP, UDP, and TCP floods, but the latest versions feature only the first two. The botnet may be able to launch extremely effective distributed denial of service attacks even with just two attack types. Even though the HTTP and UDP attack instructions are different, they both produce 512 workers (processes) that deliver hardcoded data packets to the targets for a certain amount of time.
The size of an HTTP packet varies from 484 to 589 bytes. HinataBot produces UDP packets that are exceptionally huge (65,549 bytes) and contain null bytes, which can overload the victim with a lot of traffic. While UDP flood delivers huge numbers of trash traffic to the target, HTTP flood sends large volumes of website requests, hence the two approaches each aim to cause an outage differently.
When Akamai benchmarked the botnet in 10-second HTTP and UDP attacks, the malware produced 20,430 requests with a combined size of 3.4 MB during the HTTP attack. There were 6,733 packets totaling 421 MB of data produced by the UDP deluge. The researchers calculated that the UDP flood might yield around 336 Gbps with 1,000 nodes and 3.3 Tbps with 10,000 nodes.
In the event of an HTTP flood, 10,000 nodes would handle that amount of 20,400,000 rps and 27 Gbps while 1,000 entangled devices would produce 2,000,000 requests per second. Since HinataBot is still under development, it might at any point add new exploits and broaden its range of potential targets. Additionally, the fact that it is still in active evolution raises the possibility that stronger variations may start to circulate in the wild shortly.
“These theorized capabilities obviously don’t take into account the different kinds of servers that would be participating, their respective bandwidth and hardware capabilities, etc., but you get the picture,” warns Akamai. “Let’s hope that the HinataBot authors move onto new hobbies before we have to deal with their botnet at any real scale.”