Malware could attack millions of IoT devices
- November 17, 2021
- Steve Rogerson
Malware written in the open-source programming language Golang could attack millions of routers and IoT devices, according to researchers at AT&T’s Alien Labs.
Named BotenaGo, the malware has more than 30 different exploit functions to attack a target. It creates a backdoor and waits to either receive a target to attack from a remote operator through port 19412 or from another related module running on the same machine.
AT&T says it is yet unclear which threat actor is behind the malware and number of infected devices.
Golang, also known as Go, is an open-source programming language designed by Google and first published in 2007 to make it easier for developers to build software. According to a recent Intezer post, the Go programming language has dramatically increased in its popularity among malware authors in the past few years. The site suggests there has been a 2000% increase in malware code written in Go being found in the wild.
Some of the reasons for its rising popularity relate to the ease of compiling the same code for different systems, making it easier for attackers to spread malware on multiple operating systems.
BotenaGo currently has low antivirus (AV) detection rate with only 6/62 known AVs seen in VirusTotal, said AT&T Alien Labs security researcher Ofer Caspi in a blog post last week.
Some AVs detect these new malware variants using Go as Mirai malware; the payload links do look similar. However, there is a difference between the Mirai malware and the new malware variants using Go, including differences in the language in which it is written and the malware architectures. Mirai is a botnet that initiates its communication with its command and control (C&C). It also has different DDoS functionality.
The malware strains Alien Labs discovered do not have the same attack functions as Mirai malware, and the new strains only look for vulnerable systems to spread the payload. In addition, Mirai uses a XOR table to hold its strings and other data, as well as to decrypt them when needed; this is not the case for the new malware using Go. For this reason, Alien Labs believes this threat is new, and has named it BotenaGo.
The BotenaGo malware starts by initialising global infection counters that will be printed to the screen, informing the hacker about total successful infections. It then looks for the dlrs folder in which to load shell scripts files. If the dlrs folder is missing, the malware will stop and exit at this point.
For the last and most important preparation, the malware calls a function that initiates the malware attack surface by mapping all offensive functions with its relevant string that represent the targeted system. The malware maps each function with a string that represents a potential targeted system, such as a signature.
To deliver its exploit, the malware first queries the target with a simple GET request. It then searches the returned data from the GET request with each system signature that was mapped to attack functions.
A search on Shodan returns approximately 250,000 potential devices that could be attacked by this function. In total, the malware initiates 33 exploit functions that are ready to infect potential victims.
As payload, BotenaGo will execute remote shell commands on devices in which the vulnerability has been successfully exploited. Depending on the infected system, the malware uses different links, each with a different payload. At time of analysis, all the payloads had been removed from the hosted servers by the attackers, and so Alien Labs could not analyse any of them.
BotenaGo does not have any active communication to its C&C, which raises the question of how it operates. Alien Labs has a few theories on how the malware is being operated and receives a target to attack.
Alien Labs recommends companies maintain their software with the latest security updates, ensure minimal exposure to the internet on Linux servers and IoT devices, and use a properly configured firewall. Users should also monitor network traffic, outbound port scans and unreasonable bandwidth usage.
“Malware authors continue to create new techniques for writing malware and upgrading its capabilities,” said Caspi. “In this case, new malware writing in Golang – which Alien Labs has named BotenaGo – can run as a botnet on different OS platforms with small modifications.”