HinataBot

A newly discovered Golang-based botnet, dubbed HinataBot, has been seen to exploit well-known vulnerabilities in order to breach routers and servers and use them for distributed denial-of-service (DDoS) strikes. The name of the threat is based on a character from the popular anime series Naruto with many file name structures having the format 'Hinata-<OS>-<Architecture>.' Details about the threat were released by the cybersecurity researchers at Akamai.

It is believed that the perpetrators behind HinataBot have been active since December 2022, at least. Back then, they were trying to utilize a common Go-based Mirai variant before switching to their own custom-made malware threats starting on January 11th, 2023. It is believed that HinataBot is still under active development.

Cybercriminals Rely on Known Vulnerabilities to Breach Devices and Deploy HinataBot

The HinataBot malware is being distributed through multiple methods, including exploiting exposed Hadoop YARN servers. Vulnerabilities in Realtek SDK devices (CVE-2014-8361) and Huawei HG532 routers (CVE-2017-17215, CVSS score: 8.8) are also abused by the threat actors as a way to establish a foothold on the targeted systems.

Unpatched vulnerabilities and weak credentials have been an easy target for attackers due to their low-security requirements compared to more sophisticated tactics such as social engineering. These entry points provide a well-documented avenue of attack that can be easily exploited.

HinataBot May Be Capable of Launching Devastating 3.3 Tbps DDoS Attacks

The HinataBot is capable of establishing contact with a Command-and-Control (C2, C&C) server as a way to receive instructions from the threat actors. The malware can be instructed to launch DDoS attacks against targeted IP addresses for a chosen period of time.

Previous versions of HinataBot used several different protocols, such as HTTP, UDP, TCP, and ICMP, for the DDoS attacks; however, this latest iteration of the threat has retained only two - the HTTP and UDP protocols. The reason for dropping the other protocols remains unknown at this time.

The researchers warn that HinataBot can be utilized to launch massive DDoS attacks. For example, having 10,000 bots participating in an attack simultaneously, a UDP flood could generate peak traffic of up to 3.3 Tbps (Terabit per second), while an HTTP flood would produce around 27 Gbps in traffic volume.