Overview of botenago

A new botnet named BotenaGo has been seen in the wild targeting a number of IoT devices and routers. AT&T’s Alien Labs published a report about the recently discovered malware and stated that it can exploit up to 30 different vulnerabilities against its targets. BotenaGo is written in the open-source programming language Golang - a programming language designed by Google with networking in mind.

Researchers are not sure who is behind the exploit, but the malware-scanning tool, Shodan, showed that BotenaGo could be a modified version of a malware botnet called Mirai. Mirai was last used in 2016 to carry out DDoS attacks. Despite the malware scan, AT&T Alien Labs doesn’t believe that Mirai and BotenaGo are one in the same. The two malware don’t have the same attack functions, but it’s possible that they were designed to work together.

BotenaGo is capable of creating botnets that function across a variety of device types, gaining access to networks and allowing hackers to carry out DDoS attacks. Additionally, the malware creates a backdoor and waits to receive a target to attack through port 19412 or from another related module running on the same machine The Botnet exploits devices with flaws related to the following CVEs:

  • CVE-2015-2051, CVE-2020-9377, CVE-2016-11021: D-Link routers
  • CVE-2016-1555, CVE-2017-6077, CVE-2016-6277, CVE-2017-6334: Netgear devices
  • CVE-2019-19824: Realtek SDK based routers
  • CVE-2017-18368, CVE-2020-9054: Zyxel routers and NAS devices
  • CVE-2020-10987: Tenda products
  • CVE-2014-2321: ZTE modems
  • CVE-2020-8958: Guangzhou 1GE ONU

Although BotenaGo is still in the beta phase and has been accidentally leaked, any botnet with this kind of potential is particularly concerning for the health care industry and other industries. Researchers are not sure how many devices BotenaGo has infected or how widespread the malware has become. Considering hospitals and other medical facilities run their daily operations using IoT devices, it’s always a good idea to be vigilant with addressing exploits like BotenaGo before they get a chance to infect systems and devices.

 

How Avertium is Protecting Our Clients

  • Increasing visibility within your environment is crucial when trying to prevent or mitigate a potential attack from botnets like BotenaGo. Avertium offers EDR endpoint protection through SentinelOne, Sophos, and Microsoft Defender.

    • SentinelOne prevents threats and extends protection from the endpoint to beyond. Find threats and eliminate blind spots with autonomous, real time, index-free threat ingestion and analysis that supports structured, unstructured, and semi-structured data.
    • Our partners, Microsoft and Sophos, also offer endpoint protection. Sophos can help secure your environment by protecting and prioritizing potential threats. Microsoft Defender provides real-time threat detection, as well as firewall and network protection. The program comes standard with Windows.

 

Avertium's recommendations

  • Patch all devices
  • Use stronger passwords
  • Monitor network traffic regularly
  • Provide training for IT staff on how to handle IoT medical devices

indicators of compromise (iocs):

  • 0c395715bfeb8f89959be721cd2f614d2edb260614d5a21e90cc4c142f5d83ad
  • http://107[.]172.30.215/shell/wget.sh
  • http://rippr[.]cc/u
  • http://107[.]172.30.215/b
  • http://37[.]0.11.220/g+-O-
  • http://107[.]172.30.215/l
  • http://107[.]172.30.215/a/wget.sh
  • http://107[.]172.30.215/multi/wget.s
  • http://37[.]0.11.220/a/wget.sh
  • http://107[.]172.30.215/arm/arm5/arm7/i586/i686/m68k/mips/mipsel/powerpc/sh4/sparc/x86_64bot.arm7
  • http://107[.]172.30.215/arm/arm5/arm7/i586/i686/m68k/mips/mipsel/powerpc/sh4/sparc/x86_bot.mips


References

AT&T Alien Labs finds new Golang malware (BotenaGo) targeting millions of routers and IoT devices with more than 30 exploits | AT&T Alien Labs (att.com)

BotenaGo botnet targets millions of IoT devices with 33 exploits (bleepingcomputer.com)

AT&T Reveals Malware Targeting Millions of Routers, IoT Devices | PCMag

Open source Botenago malware could potentially affect millions of routers and IoT devices - NotebookCheck.net News

BotenaGo Malware Uses More Than 30 Various Exploits | Millions of IoT Devices Are Vulnerable | Tech Times

 

take an in-depth look at hive ransomware in our latest threat report

Chat With One of Our Experts




Malware BotenaGo Flash Notice Blog