BotenaGo is a virus developed in Golang (Go), a programing language that has exploded in popularity in recent years, with malware developers praising it for producing harder-to-detect and reverse-engineer payloads.
A botnet, as explained by Cezarina, is a collection of infected computers or other internet-connected devices that interact with one another to carry out the same malicious acts, such as spam campaigns or distributed denial-of-service attacks. Online criminals can remotely manipulate the network to serve their own goals, allowing them to escape detection and legal prosecution by law enforcement agencies.
According to BleepingComputer, only six out of 62 AV engines on VirusTotal indicate BotenaGo as malicious, and a few of them identify it as Mirai.
BotenaGo M.O.
As reported by BleepingComputer the botnet incorporates 33 exploits that will be used for a spread of routers, modems, and NAS devices.
AT&T researchers investigated the new botnet and discovered that it targets many devices with features that exploit the holes mentioned above.
The BotenaGo malware starts by initializing global infection counters that will be printed to the screen, informing the hacker about total successful infections.(Figure 2)
It then looks for the ‘dlrs’ folder in which to load shell scripts files. A loaded script will be concatenated as ‘echo -ne %s >> ‘. If the ‘dlrs’ folder is missing, the malware will stop and exit at this point.
For the last and most important preparation, the malware calls the function ‘scannerInitExploits’, which initiates the malware attack surface by mapping all offensive functions with its relevant string that represent the targeted system.
The search query for Boa, a defunct open-source web server utilized in embedded applications that also yields roughly two million internet-facing devices on Shodan, is an example presented.
Another significant example is the targeting of CVE-2020-10173, a command-injection issue in Comtrend VR-3033 gateway devices, which remains exploitable in 250,000 devices.
When the virus is installed, it will listen on two ports (31412 and 19412) for an IP address to be supplied there.
Once one is received, the bot will plan to obtain access by exploiting every vulnerability thereon IP address. BotenaGo will use remote shell commands to enlist the device into the botnet once it’s gained access. The virus utilizes various URLs to get an identical payload counting on which device is targeted.
However, because there have been no payloads on the hosting server at the time of the analysis, none might be obtained for examination.
It’s interesting to notice the researchers didn’t find a lively C2 communication between BotenaGo and an actor-controlled server, and thus they thought of three potential explanations regarding the way during which the botnet operates:
- BotenaGo is merely one element (module) in a multi-stage modular malware assault, and it’s not responsible for communications.
- BotenaGo may be a new tool employed by Mirai operators on specific devices, which is supported by common payload dropping URLs.
- The virus isn’t able to use yet, and a sample from its early development phase was mistakenly released into the planet.
Thankfully, the new botnet was discovered early, and therefore the indications of compromise are already known. Nonetheless, as long as there is an outsized number of susceptible internet devices to focus on, threat actors will still create BotenaGo.
If you liked this article follow us on LinkedIn, Twitter, YouTube, Facebook, and Instagram to keep up to date with everything cybersecurity.