Executive summary
In November 2021, AT&T Alien Labs™ first published research on our discovery of new malware written in the open-source programming language Golang. The team named this malware “BotenaGo.” (Read previous article here.) In this article, Alien Labs is updating that research with new information.
Recently BotenaGo source code was uploaded to GitHub, potentially leading to a significant rise of new malware variants as malware authors will be able to use the source code and adapt it to their objectives. Alien Labs expects to see new campaigns based on BotenaGo variants targeting routers and IoT devices globally. As of the publishing of this article, antivirus (AV) vendor detection for BotenaGo and its variants remains behind with very low detection coverage from most of AV vendors.
Key takeaways:
- BotenaGo malware source code is now available to any malicious hacker or malware developer.
- New BotenaGo samples were found with very low AV detection (3/60 engines).
- With only 2,891 lines of code, BotenaGo has the potential to be the starting point for many new variants and new malware families using its source code.
Background
In September 2016, source code of one of the most popular botnets named Mirai was leaked and uploaded to one of the hacking community forums, and later uploaded to GitHub with detailed information on the botnet, its infrastructure, configuration and how to build it.
Since the release of that information, the popularity of Mirai has increased dramatically. Multiple malware variants such as Moobot, Satori, Masuta, and others use the source code of Mirai. They then add unique functionality, which has resulted in these multiple variants causing millions of infections. The Mirai botnet targets mostly routers and IoT devices, and it supports different architectures including Linux x64, different ARM versions, MIPS, PowerPC, and more. Since the Mirai botnet can be now modified and compiled by different adversaries, many new variants have become available over time featuring new capabilities and new exploits.
In our November 2021 research article, Alien Labs first described its findings about the new BotenaGo malware along with technical details. We used online tools such as Shodan to show the potential damage the BotenaGo malware could cause, and its potential for putting millions of IoT devices at risk.
Alien Labs recently discovered that the source code of BotenaGo malware was uploaded to GitHub on October 16th 2021, allowing any malicious hacker to use, modify, and upgrade it — or even simply compile it as is and use the source code as an exploit kit, with the potential to leverage all BotenaGo’s exploits to attack vulnerable devices. The original source of the code is yet unknown. In the same repository, we have found additional hacking tools collected from several different sources.
Source code analysis
The malware source code, containing a total of only 2,891 lines of code (including empty lines and comments), is simple yet efficient. It includes everything needed for a malware attack, including but not limited to:
- Reverse shell and telnet loader, which are used to create a backdoor to receive commands from its operator
- Automatic set up of the malware’s 33 exploits, giving the hacker a “ready state” to attack a vulnerable target and infect it with an appropriate payload based on target type or operating system
The top of the source code on GitHub shows a comment with the list of current exploits for “supported” vendors and software, as shown in Figure 1.
Figure 1 shows BotenaGo’s available exploits for multiple vendors.
As described in our previous blog, the malware initiates a total of 33 exploit functions targeting different routers and IoT devices by calling the function "scannerInitExploits” (see figure 2).
Figure 2 shows the initialization of 33 exploits.
Each exploit function contains the exploit configuration (such as a specific “GET” request) and specific payload for the targeted system (see figure 3). Some exploits are a chain of commands, such as multiple “GET” requests (see figures 4 and 5).
Figure 3 shows the specific payload for different targets.
Figure 4 shows the implementation of CVE-2020-10987.
Figure 5 shows the implementation of CVE-2020-10173
The code contains additional configuration for a remote server, including available payloads and a path to folders that contains additional script files to execute on infected devices (see figure 6).
Figure 6 shows an example of additional configuration.
On top of all that, the main function calls together all of the necessary pieces: setting up a backdoor, loading additional payload scripts, initializing exploit functions, and waiting for commands (see figure 7). It is simple and clean malware creation in just 2,891 lines of code.
Figure 7 shows BotenaGo’s main function.
Additional updates
Since our first article on BotenaGo, the samples have continued to be used to exploit routers and IoT devices, spreading Mirai botnet malware. Even more worrisome, the samples continue to have a very low AV detection rate, as shown below in VirusTotal (figure 8).
Figure 8 shows the low level of antivirus detections for BotenaGo’s new variants.
One of the variants is configured to use a new Command and Control (C&C) server (see figure 9).
It’s worth noting that the IP address for one of BotenaGo’s payload storage servers is included in the list of indicators of compromise (IOC) for detecting exploitation of the Apache Log4j security vulnerabilities. Read the Alien Labs Report on Log4Shell.
Figure 9 shows a command to configure a C&C server for a BotenaGo variant.
Recommended actions
- Maintain minimal exposure to the Internet on Linux servers and IoT devices and use a properly configured firewall.
- Install security and firmware upgrades from vendors, as soon as possible.
- Check your system for unnecessary open ports and suspicious processes.
Conclusion
Today, BotenaGo variants serve as a standalone exploit kit and as a spreading tool for other malware. Now with its source code available to any malicious hacker, new malicious activity can be added easily to the malware. Alien Labs sees the potential for a significant increase in these malware variants, giving rise to potentially new malware families that could put millions of routers and IoT devices at risk of attack.
Detection methods
The following associated detection methods are in use by Alien Labs. They can be used by readers to tune or deploy detections in their own environments or for aiding additional research.
SURICATA IDS SIGNATURES |
4001488: AV TROJAN Mirai Outbound Exploit Scan, D-Link HNAP RCE (CVE-2015-2051) |
4000456: AV EXPLOIT Netgear Device RCE (CVE-2016-1555) |
4000898: AV EXPLOIT Netgear DGN2200 ping.cgi - Possible Command Injection ( CVE-2017-6077 ) |
2027093: ET EXPLOIT Possible Netgear DGN2200 RCE (CVE-2017-6077) |
2027881: ET EXPLOIT NETGEAR R7000/R6400 - Command Injection Inbound (CVE-2019-6277) |
2027882: ET EXPLOIT NETGEAR R7000/R6400 - Command Injection Outbound (CVE-2019-6277) |
2830690: ETPRO EXPLOIT GPON Authentication Bypass Attempt (CVE-2018-10561) |
2027063: ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) |
2830690: ETPRO EXPLOIT GPON Authentication Bypass Attempt (CVE-2018-10561) |
2027063: ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) |
2831296: ETPRO EXPLOIT XiongMai uc-httpd RCE (CVE-2018-10088) |
4001914: AV EXPLOIT DrayTek Unauthenticated root RCE (CVE-2020-8515) |
2029804: ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Outbound (CVE-2020-8515) M1 |
2029805: ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Inbound (CVE-2020-8515) M1 |
2029806: ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Outbound (CVE-2020-8515) M2 |
2029807: ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Inbound (CVE-2020-8515) M2 |
4002119: AV EXPLOIT Comtrend Router ping.cgi RCE (CVE-2020-10173) |
2030502: ET EXPLOIT Possible Authenticated Command Injection Inbound - Comtrend VR-3033 (CVE-2020-10173) |
4001814: AV EXPLOIT TOTOLINK Router PostAuth RCE (CVE-2019-19824) |
2029616: ET EXPLOIT Zyxel NAS RCE Attempt Inbound (CVE-2020-9054) M1 |
2029617: ET EXPLOIT Zyxel NAS RCE Attempt Inbound (CVE-2020-9054) M2 |
4001142: AV EXPLOIT ManagedITSync - Kaseya exploitation (CVE-2017-18362) v1 |
4001143: AV EXPLOIT ManagedITSync - Kaseya exploitation (CVE-2017-18362) v2 |
2032077: ET EXPLOIT ZTE Cable Modem RCE Attempt (CVE-2014-2321) |
4000897: AV EXPLOIT Netgear DGN2200 dnslookup.cgi Lookup - Possible Command Injection (CVE-2017-6334) |
2027094: ET EXPLOIT Possible Netgear DGN2200 RCE (CVE-2017-6334) |
Associated indicators (IOCs)
The following technical indicators are associated with the reported intelligence. A list of indicators is also available in an Alien Labs Open Threat Exchange™ (OTX™) pulse. You can access the OTX pulse here. If you are not an OTX member, it is free to join our global, open-source threat intelligence community of more than 200,000.
TYPE |
INDICATOR |
DESCRIPTION |
IP ADDRESS |
[86].110.32.167:80 |
BotenaGo C&C |
IP ADDRESS |
[179].43.187.197 |
Malware payload server |
IP ADDRESS |
[2].56.56.78 |
Malware payload server |
IP ADDRESS |
[209].141.59.56 |
Malware payload server |
SHA1 |
cca00b32d610becf3c5ae9e99ce86a320d5dac87
|
Mapped to MITRE ATT&CK
The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:
- TA0008: Lateral Movement
- T1210: Exploitation of Remote Services
- T1570: Lateral Tool Transfer
- TA0011: Command and Control
- T1571: Non-Standard port
*Current as of the publishing of this article.
Article Link: BotenaGo strikes again - malware source code uploaded to GitHub | AT&T Alien Labs