The source code of the BotenaGo malware was uploaded to GitHub, researchers recently discovered, potentially resulting in new variants of the malware that target Internet of Things (IoT) devices and routers.
While the BotenaGo malware was first uncovered in November, more recently researchers have discovered that the source code was uploaded in October, a month before this initial discovery. The malware contains 33 different exploit functions to attack connected devices. Researchers describe the malware’s source code - containing a total of 2,891 lines of code - as “simple yet efficient.” BotenaGo has been used to exploit vulnerabilities in routers and IoT devices in order to spread the Mirai botnet malware, researchers said.
When source code for Mirai - known for the 2016 distributed denial-of-service (DDoS) attack against DNS provider Dyn that affected Internet service in the U.S. - was released in 2016, it gave attackers an inside look at the botnet's infrastructure and configuration. From there, they were able to add their own unique functionalities, resulting in dozens of variants. Researchers said the source code of BotenaGo being uploaded to GitHub can similarly allow attackers to add further capabilities and leverage all of its exploits to attack vulnerable devices.
“Alien Labs recently discovered that the source code of BotenaGo malware was uploaded to GitHub on October 16th 2021, allowing any malicious hacker to use, modify, and upgrade it — or even simply compile it as is and use the source code as an exploit kit, with the potential to leverage all BotenaGo’s exploits to attack vulnerable devices,” said Ofer Caspi, security researcher at Alien Labs, part of AT&T Cybersecurity, on Wednesday. “Alien Labs expects to see new campaigns based on BotenaGo variants targeting routers and IoT devices globally.”
BotenaGo is the latest malware family to be written in the Go language, which is an open-source programming language designed by Google. The language has increased in popularity for malware authors over the past few years, in part because it makes it easy to compile the same code for different systems - allowing attackers to spread malware on multiple operating systems.
“Alien Labs expects to see new campaigns based on BotenaGo variants targeting routers and IoT devices globally."
The malware’s 33 exploits give attackers a “ready state” to target an array of devices, including ones from Linksys and Broadcom. These include exploits for flaws such as CVE-2020-10987, a critical vulnerability in the Tenda AC15 AC1900 that allows remote attackers to execute arbitrary system commands; as well as CVE-2020-10173, a series of flaws in Comtrend devices that can enable authenticated command injection. In addition, researchers warned that currently antivirus detection of BotenaGo and its variants “remains behind with very low detection coverage,” with only three out of 60 engines detecting the malware.
During initial analysis of BotenaGo, researchers found the malware includes a reverse shell and telnet loader, used to create a backdoor and then receive commands from the operator. They also found that the malware operates by first either receiving a target to attack from a remote operator (via port 19412) or another related module running on the machine. While earlier iterations of the malware did not have command-and-control (C2) communication abilities, with commands instead appearing to be sent via backdoor ports or via telnet, researchers more recently found a variant that is configured to use a new C2 server.
“The original source of the code is yet unknown,” said researchers. “In the same repository, we have found additional hacking tools collected from several different sources.”
Alien Labs’ Caspi said that organizations can protect themselves by minimizing Internet exposure of Linux servers and IoT devices, using a properly configured firewall, making sure to install security upgrades and checking systems for unnecessarily open ports.
IoT attacks have continued to proliferate over the past two years, with researchers at Intel471 this week saying they have observed “a surge” in these types of attacks in 2020 and 2021.
Researchers said that the Mirai botnet, along with the Gafgyt malware, have largely contributed to this increase, targeting devices in Europe and North America; and numerous threat actors are selling access to botnets built from Mirai code bases. They assessed “with a high degree of confidence” that IoT security will continue to be a top issue for organizations moving forward.
“Threat actors seized the opportunity to not only create large botnets, but also steal confidential data from IoT devices linked to compromised organizations, and potentially sell it on underground marketplaces,” said Intel471 researchers.