The novel BotenaGo malware botnet has been detected, attacking millions of routers and IoT devices exploiting over thirty vulnerabilities. BotenaGo was built in Golang (Go), a programming language that has exploded in popularity in recent years, with malware authors praising it for producing harder-to-detect and-reverse-engineer payloads.
Only 6 out of 62 AV engines on VirusTotal indicate BotenaGo as harmful, and some of them identify it as Mirai. BotenaGo includes 33 vulnerabilities for a range of routers, modems, and NAS systems, including the following famous examples:
- CVE-2015-2051, CVE-2020-9377, and CVE-2016-11021: D-Link routers
- CVE-2016-1555, CVE-2017-6077, CVE-2016-6277, and CVE-2017-6334: Netgear devices
- CVE-2019-19824: Routers based on Realtek SDK
- CVE-2017-18368 and CVE-2020-9054: NAS devices and Zyxel routers
- CVE-2020-10987: Tenda products
- CVE-2014-2321: ZTE modems
- CVE-2020-8958: Guangzhou 1GE ONU
AT&T researchers investigated the new botnet and discovered that it targets millions of devices with features that exploit the abovementioned holes. When the malware is installed, it will listen on two ports (31412 and 19412) to supply an IP address. After one is received, the bot will attempt to obtain access by exploiting every vulnerability on that IP address.
BotenaGo will use remote shell commands to enlist the device into the botnet once it has gained access. The malware uses multiple URLs to obtain a matching payload depending on which device is targeted. However, because there were no payloads on the hosting server at the time of the analysis, none could be obtained for examination.
Moreover, the researchers were unable to locate any active C2 connection between BotenaGo and an actor-controlled server. Thus, they provide three possible explanations:
- BotenaGo is just one component (module) in a multi-stage modular malware operation, and it isn’t in charge of communications.
- BotenaGo is a novel tool used by Mirai operators on specific devices, supported by typical payload dropping connections.
- The malware isn’t ready to use yet, and a sample from its early development phase was mistakenly released into the world.
To summarize, BotenaGo’s debut in the open is rare given its unfinished operational condition, but its fundamental capabilities leave little question about its authors’ intentions. The new botnet was discovered early on, and the indications of compromise are already known. Nonetheless, as long as there are a large number of susceptible internet devices to target, threat actors will continue to create BotenaGo.