Cybersecurity researchers at AT&T Labs uncovered a new malware variant targeting routers and IoT devices. Tracked as BotenaGo, the malware is leveraging over 30 exploit methods to compromise the targeted devices, exposing millions of IoT devices and routers to malware infections. The researchers stated that BotenaGo could deploy malware payloads that are difficult to detect and reverse engineer. While the threat actors behind the BotenaGo malware campaign are unknown, multiple anti-virus suites found that BotenaGo is a variant of Mirai malware.
“The malware creates a backdoor and waits to either receive a target to attack from a remote operator through port 19412 or from another related module running on the same machine. It is yet unclear which threat actor is behind the malware and number of infected devices,” the researchers said.
Using Go Language
Researchers stated that attackers wrote BotenaGo malware codes using the Go programming language. Go, also known as Golang, is an open-source programming language designed by Google. The demand for Go language has increased dramatically after several malware creators leveraged it to write malware codes.
“Some of the reasons for its rising popularity relate to the ease of compiling the same code for different systems, making it easier for attackers to spread malware on multiple operating systems,” the researchers added.
How BotenaGo Exploit Works
Initially, the BotenaGo malware attack scans for vulnerabilities online and maps the potential victims to attack functions. It then queries the target with a GET request and starts exploiting it. BotenaGo attackers mainly exploit the vulnerabilities in connected devices and execute remote shell commands.
BotenaGo incorporates 30 exploiting techniques based on the target and vulnerability type. Some of the vulnerabilities that BotenaGo has targeted include:
- CVE-2020-9377, CVE-2015-2051, CVE-2016-11021 – D-Link routers
- CVE-2016-1555, CVE-2016-6277, CVE-2017-6077, CVE-2017-6334 – Netgear devices
- CVE-2020-8958 – Guangzhou 1GE ONU
- CVE-2017-18368, CVE-2020-9054 – Zyxel routers and NAS devices
- CVE-2020-10987 – Tenda products
- CVE-2019-19824 – Realtek SDK based routers
- CVE-2014-2321 – ZTE modems
Cybercriminals continue to create new malware and malware deploying techniques to target unwitting users. Practicing robust cyber hygiene and some actionable security measures could help mitigate the risks from evolving malware threats.