Millions of IoT and routers with more than 30 exploits are targeted by BotenaGo Malware

Millions of IoT and routers with more than 30 exploits are targeted by BotenaGo Malware

Malware written in the go language has been discovered that puts millions of NAS, routers, and Internet of things (IoT) devices at risk. According to researchers done by AT&T Cybersecurity, the malware takes advantage of 33 different exploits to attack routers and IoT devices. The cybercriminal group behind this still not identified.

“Golang (also known as Go) is an open-source programming language designed by Google and first published in 2007 that makes it easier for developers to build software. According to a recent Intezer post, the Go programming language has dramatically increased in its popularity among malware authors in the last few years. The site suggests there has been a 2,000% increase in malware code written in Go being found in the wild.” said researchers of AT&T Alien Labs

Some of the reasons for its rising popularity relate to the ease of compiling the same code for different systems, making it easier for attackers to spread malware on multiple operating systems.

BotenaGo malware creates a backdoor and waits to either receive a target to attack from a remote operator through port 19412 or from another related module running on the same machine. But the new malware only looks for vulnerable systems to spread its payload.

“In addition, Mirai uses an “XOR table” to hold its strings and other data, as well as to decrypt them when needed — this is not the case for the new malware using Go. For this reason, Alien Labs believes this threat is new, and we have named it BotenaGo,” said researchers of AT&T Alien Labs

BotenaGo malware looks for a specific directory and attach itself to scripts and terminates itself if the directory does not exist. The malware also searches for vulnerable functions using certain character strings a kind of signature scan which can use to identify a vulnerable function and use a suitable exploit against it.

This malware has been already identified and IOC are available. Admins are instructed to follow the below mentioned recommendations.

Recommendations by AT&T Alien Labs

  • Maintain your software with the latest security updates.
  • Ensure minimal exposure to the Internet on Linux servers and IoT devices and use a properly configured firewall.
  • Monitor network traffic, outbound port scans, and unreasonable bandwidth usage.

Reference

© 2021 BY CYBER LABS SERVICES (PVT) LTD

[email protected]

Sri Lanka Office:
No: 57/3 Flower Road, Colombo 07, Sri Lanka.

Melbourne Office:
No 08, Cubbie way Clyde, North Victoria 3978