A new botnet named BotenaGo has been identified in the wild. The threat has the capacity to infect millions of vulnerable IoT (Internet of Things) devices and routers. Indeed, after analyzing a sample of the threat, the researchers at AT&T discovered that it could exploit over 33 vulnerabilities found in routers, modems and NAS devices. Some of the targeted machines include D-link routers (via CVE-2015-2051, CVE-2020-9377, CVE-2016-11021), Realtek SDK-based routers (CVE-2019-19824), ZTE Modems (CVE-2014-2321), Netgear devices (CVE-2016-1555, CVE-2017-6077, CVE-2016-6277, CVE-2017-63340), and more.
As its name might suggest, the BotenaGo botnet is created using the Go programming language. Go has been gaining popularity among cybercriminals for the past several years as it offers cross-platform functionality while making the threats both harder to detect and to reverse engineer.
When deployed on the targeted device, the BotenaGo malware will establish listen routines on two specific ports - 31412 and 194121. The threat is waiting for an IP address to be provided to it by the attackers. Upon receiving a suitable IP, BotenaGo will proceed to run through the vulnerabilities its exploit in an attempt to gain access. Afterward, it will run several shell commands to add the device to its botnet. The threat fetches a payload suitable for the targeted device through several different links.
Not Operational Yet
The researchers were not able to obtain any payloads from the hosting server and they did not detect any communication between BotneaGo and its Command-and-Control (C2, C&C) server. There is not enough data for a concrete explanation but infosec experts do have three potential scenarios:
- The found BotenaGo botnet is just one out of several modules that are part of a multi-stage malware attack.
- The threat could be a new tool that is used by Mirai operators. This conjecture is supported by several links used to deliver payloads.
- The lack of C2 communication may simply be a sign that BotenaGo is not yet ready for deployment and the sample caught by the researchers was released in the wild accidentally.
Users and companies should take note of the threat's IoCs (Indicators of Compromise) and implement sufficient countermeasures.