New Golang Malware ‘BotenaGo’ Targets Millions of Routers and IoTs With Over 30 Exploits

  • New malware written in Golang can exploit over 30 vulnerabilities in millions of routers and IoT devices.
  • BotenaGo creates a backdoor and then waits to receive a target to start deploying the execution code on.
  • The actors behind this new malware strain are yet unknown, and so is the real number of affected devices.

A new malware written in the open-source programming language Golang (Go) was discovered to have 33 exploits ready to be deployed targeting vulnerabilities found in millions of routers and IoT devices. It operates by creating two backdoor ports, 31412 and 19412, and then standing by until receiving a target from a remote operator or from a related module on the same machine.

As payload, researchers at AT&T Alien Labs say the malware they named BotenaGo executes remote shell commands on devices where a vulnerability has been successfully exploited, uses different links with different payloads, and can run as a botnet on different OSs with small modifications.

It starts by initializing global infection counters showing all successful infections on the hacker's screen, and then it searches for the "dlrs" folder to load shell scripts files in. However, if the "dlrs" folder is missing, the malware stops and exits.

source: AT&T Alien Labs

Calling the function 'scannerInitExploits', it initiates the malware attack surface by mapping all offensive functions with a string representing a potential targeted system. The exploit delivery starts with a simple “GET” request query on the target and searches each system signature mapped to attack functions in the returned results.

source: AT&T Alien Labs

The "Server: Boa/0.93.15" string is mapped to the "main_infectFunctionGponFiber" function, which tries to exploit the CVE-2020-8958 vulnerability on the target device by letting the attacker execute an OS command via a specific web request. The researchers looked for the "Server: Boa/0.93.15" string (Boa is a discontinued, open-source web server) in SHODAN and results showed almost 2 million potential targets to this attack.

source: AT&T Alien Labs

Another vulnerability, CVE-2020-10173, is exploited with 33 malware functions that are ready to infect potential victims. Since this malware can also act by setting a listener to system IO (terminal) user input and can receive a target through it, the researchers used Wireshark on an infected virtual machine to see the results of some attacks.

source: AT&T Alien Labs

Some antivirus tools see these new malware variants built on Go as Mirai. Researchers say the payload links look similar, but there are language and architecture differences between Mirai and the new Go strains.

REVIEW OVERVIEW

Latest

Why Is Demon Slayer So Popular?

In August 2019, the world suddenly started talking about an anime series that had just released its nineteenth episode. Fast forward to...

F1 Live Stream 2022: How to Watch Formula 1 Without Cable

There's not much time until the 2022 Formula 1 World Championship gets underway - the first race is scheduled for late March,...

Disney+ Announces Basketball Series Inspired By Award-Winning Book The Crossover

Disney Plus announced a new basketball-themed drama series that is set to land on the streaming platform, drawing inspiration from the critically...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari