BotenaGo, written in Google’s Golang programming language, can exploit over 30 different vulnerabilities.
Discovered by researchers at AT&T Alien Labs, BotenaGo can exploit more than 30 different vulnerabilities to attack a target, Ofer Caspi, a security researcher at Alien Labs, wrote in a blog post published Thur.
The malware, which is written in Golang—a language Google 1st published in 2007–works by creating a backdoor to the device. It then waits to either receive a target to attack from a remote operator through port 19412 or from another related module running on the same machine, he wrote.
Golang, also known as Go, is aimed at simplifying how software is built by making it easy for developers to compile the same code for different systems. This feature may be the reason why it is caught on with malware developers in the last few years, since it also makes it easier for attackers to spread malware on multiple operating systems, Caspi wrote.
Research from Intezer, which offers a platform for analysing malware, suggests that there has been a 2,000% increase in malware code written in Go being found in the wild, he wrote.
Researchers stated that at this time they do not know which threat player or actors developed BotenaGo, nor the full scale of devices that are vulnerable to the malware. So far, antivirus protections also don’t seem to recognise the malware, sometimes misidentifying it as a variant of Mirai malware, Caspi wrote.
Setting Up Attack
BotenaGo commences its work with some exploratory moves to see if a device is vulnerable to attack, Caspi wrote. It starts by initialising global infection counters that will be printed to the screen, informing the attacker about total successful infections.
The malware then looks for the ‘dlrs’ folder in which to load shell scripts files. If this folder is missing, BotenaGo stops the infection process.
In its last step before fully engaging, BotenaGo calls the function ‘scannerInitExploits’, “which initiates the malware attack surface by mapping all offensive functions with its relevant string that represent the targeted system,” Caspi wrote.
Once it establishes that a device is vulnerable to attack, BotenaGo proceeds with exploit delivery by 1st querying the target with a simple “GET” request. It then searches the returned data from the “GET” request with each system signature that was mapped to attack functions.
Researchers detail several possible attacks that can be conducted using this query. In one, the malware maps the string “Server: Boa/0.93.15” to the function “main_infectFunctionGponFiber,” which attempts to exploit a vulnerable target, Caspi wrote.
This allows the attacker to execute an OS command via a specific web request using a vulnerability tracked as CVE-2020-8958. A SHODAN search turned up nearly 2m devices that are vulnerable to this type of attack alone, he wrote.
“In total, the malware initiates 33 exploit functions that are ready to infect potential victims,” Caspi wrote. A full list of the vulnerabilities that BotenaGo can exploit is included in the post.
There are 2 diverse ways that the malware can receive commands to target victims, researchers found. One is the create backdoor ports–31421 and 19412—that are used in an attack scenario, Caspi wrote.
“On port 19412 it will listen to receive the victim IP,” he wrote. “Once a connection with information to that port is received, it will loop through mapped exploit functions & execute them with the given IP.”
The second way BotenaGo can receive a target command is by setting a listener to system IO (terminal) user input, getting the command to the device that way, Caspi explained.
“For example, if the malware is running locally on a virtual machine, a command can be sent through telnet,” he wrote.
Dangers to Corporate Network
Given its ability to exploit devices connected over internet ports, BotenaGo can be potentially dangerous to corporate networks by gaining access through vulnerable devices, explained 1 security professional.
“Bad actors, such as those at work here, love to exploit these devices to gain access to the internal networks behind them, or just to use it as a platform from which to launch other attacks,” observed Erich Kron, Security Awareness Advocate at security firm KnowBe4,
Piggybacks on the Network
Attackers that can be launched once a hacker takes over a device & piggybacks on the network it’s using include DDoS attacks, which that can lead to extortion of money from victims, he commented. Attackers also can host & spread malware using a victim’s internet connection, Kron observed.
Given the number of vulnerabilities of which it can take advantage, BotenaGo also shows the importance of keeping IoT & routers updated with the latest firmware & patches to avoid leaving them available to exploit, he concluded.