BotenaGo Malware Can Exploit Millions of IoT devices and Routers
A new malware has been detected that is written in Google's open-source programming language Golang has the potential to exploit millions of routers and IoT devices. It was discovered by researchers at AT&T AlienLabs. BotenaGo can exploit more than 30 different vulnerabilities to attack a target according to security researcher Ofer Caspi. The malware works by creating a backdoor to the device. It then waits to receive a target to attack from a remote operator through port 19412 or from another related module running on the same machine.
Golang simplifies how software is created by making it easy for developers to compile the same code for different systems. This feature also makes it easier for hackers to spread malware on multiple operating systems. Research from Intezer, which offers a platform for analyzing malware, found that there is a 2,000 percent increase in malware code written in Go found in the wild. Researchers don't know which group developed BotenaGoho many devices are vulnerable. Currently, antivirus protections can't recognize the malware and sometimes misidentifies it as a variant of Mirai malware.
BotenaGo starts by checking if a device is vulnerable to attack. It starts by initializing global infection counters that is displayed on the screen, informing the hacker about total successful infections. The malware then looks for the dlrs folder to load shell scripts files. If this folder is missing, BotenaGo stops the infection process. In the last step before activating, BotenaGo calls the function scannerInitExploits which maps all offensive functions with its relevant string to represent the targeted system. Once it establishes that a device is vulnerable to attack, BotenaGo proceeds with exploit delivery by first querying the target with a simple GET request. It then searches the returned data from the request with each system signature that was mapped to attack functions. This allows the hacker to execute an OS command via a specific web request using a vulnerability tracked as CVE-2020-8958. A SHODAN search turned up nearly 2 million devices that are vulnerable to this type of attack alone.
There are two different ports that the malware can use to receive commands to target victims, ports 31421 and 19412. On port 19412, it will listen to receive the victim's IP. Once a connection with information to that port is received, it will loop through mapped exploit functions and execute them with the IP. BotenaGo can receive a target command by setting a listener to system IO user input and send commands to the device through it.
Because of its ability to exploit devices connected over internet ports, BotenaGo can be dangerous to corporate networks by gaining access through vulnerable devices. Attacks can be launched once a hacker takes over a device and piggybacks on the network it is using include DDoS attacks. Hackers can also host and spread malware using the infected internet connection. These vulnerabilities show how important keeping IoT and routers updated with the latest firmware and patches are to avoid exploitation.