A newly discovered Golang-based malware is using over 30 exploits in attacks, potentially putting millions of routers and Internet of Things (IoT) at risk of malware infection, according to a warning from AT&T Alien Labs.
Dubbed BotenaGo, the threat deploys a backdoor on the compromised device, and then waits for commands – either from a remote operator or a malicious module on the device – to initiate an attack.
As part of a typical BotenaGo attack, the malware first maps potential targets to attack functions, then queries the target with a GET request, after which it searches the returned data, and only then it attempts to exploit the vulnerable target.
On a compromised device, the malware creates two backdoor ports: 31412 and 19412, and starts listening on port 19412 to receive the victim’s IP. Next, it loops through mapped exploit functions to execute them with the supplied IP.
AT&T Alien Labs researchers have identified a total of 33 exploit functions that BotenaGo initiates.
One of malware’s functions was designed to exploit CVE-2020-8958, a vulnerability that potentially affects over 2 million Guangzhou devices. Another one targets CVE-2020-10173, a vulnerability in the Comtrend VR-3033 routers that potentially impacts roughly 250,000 devices.
The threat also targets vulnerabilities in devices from DrayTek (CVE-2020-8515), D-Link (CVE-2015-2051, CVE-2020-9377, CVE-2016-11021, and CVE-2013-5223), Netgear (CVE-2016-1555, CVE-2016-6277, CVE-2017-6077, and CVE-2017-6334), GPON (CVE-2018-10561 and CVE-2018-10562), Linksys (CVE-2013-3307), XiongMai (CVE-2018-10088), TOTOLINK (CVE-2019-19824), Tenda (CVE-2020-10987), ZyXEL (CVE-2020-9054 and CVE-2017-18368) and ZTE (CVE-2014-2321).
“As payload, BotenaGo will execute remote shell commands on devices in which the vulnerability has been successfully exploited. Depending on the infected system, the malware uses different links, each with a different payload,” the researchers explain.
The malware doesn’t have active command and control (C&C) communication capabilities, suggesting that another module is likely being deployed on compromised devices alongside BotenaGo, or that the threat currently in testing or may have been been accidentally leaked.
“The links used for the payload on a successful attack imply a connection with Mirai malware. It could be [that] the BotenaGo is a new tool used by Mirai operators on specific machines that are known to them, with the attacker(s) operating the infected end-point with targets,” the researchers added.
Related: Crypto-Hijacking Campaign Leverages New Golang RAT
Related: Zoom Patches High-Risk Flaws in Meeting Connector, Keybase Client
Related: Researcher Shows Windows Flaw More Serious After Microsoft Releases Incomplete Patch
More from Ionut Arghire
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Malicious NuGet Packages Used to Target .NET Developers
- Google Pixel Vulnerability Allows Recovery of Cropped Screenshots
- Millions Stolen in Hack at Cryptocurrency ATM Manufacturer General Bytes
- NBA Notifying Individuals of Data Breach at Mailing Services Provider
- Adobe Acrobat Sign Abused to Distribute Malware
- Latitude Financial Services Data Breach Impacts 300,000 Customers
Latest News
- Google Suspends Chinese Shopping App Amid Security Concerns
- Verosint Launches Account Fraud Detection and Prevention Platform
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Oleria Scores $8M Seed Funding for ID Authentication Technology
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- News Analysis: UK Commits $3 Billion to Support National Quantum Strategy
- Malicious NuGet Packages Used to Target .NET Developers
