BotenaGo botnet malware targeting millions of IoT devices

The malware is currently targeting Linux-embedded routers and IoT devices through botnets.

The malware is currently targeting Linux-embedded routers and IoT devices through botnets.

The IT security researchers at AT&T Alien Labs have tracked down malware utilizing over 30 different exploits to compromise routers and Internet of Things (IoT) devices.

According to their analysis, the malware is an early beta version linked with the infamous Mirai botnet. They opined that this malware is difficult to detect and can exploit millions of internet-connected devices.

BotenaGo’ Open-Source Malware Targeting Routers, IoT Devices
Shodan search result for potential targets for specific functions (Image: AT&T Alien Labs)

Why is it called BotenaGo?

AlienLabs’ security researchers named the malware BotenaGo because it is written in the Go (Google’s Golang) open-source programming language. It targets Linux-embedded routers and IoT devices through botnets.

Researchers mentioned that, as per Intezer’s analysis, there had been a 2,000% rise in the use of the Go programming language for creating malware in recent years. According to AlienLabs’ security researcher Ofer Caspi, the malware creates a backdoor and then waits until it receives a target from a remote operator to attack.

How Does it Attack?

When the malware receives a command from a remote operator, usually through ports 19412 and 31412, it executes remote shell commands/instructions. These commands are executed on devices where the malware has already exploited a vulnerability. It then uses various links, each having a different payload, after analyzing the infected system.

BotenaGo’ Open-Source Malware Targeting Routers, IoT Devices

Researchers couldn’t identify the threat actors who developed BotenaGo or the scale of devices vulnerable to this malware. However, they noticed that antivirus protections don’t recognize this malware and usually misidentify it as a Mirai malware variant.

What Makes BotenaGo Different?

This malware is different because it doesn’t actively communicate with a C2 server, which researchers found surprising because most malware has a link. They believe that BotenaGo could be part of a more extensive suite and one of the various infection modules of an extensive attack. Or else it could still be in its beta phase or linked with the Mirai malware family. 

In their report published on Thursday, researchers noted that malware developers are continually identifying new techniques to upgrade their capabilities.

“In this case, new malware written in Golang can run as a botnet on different OS platforms with small modifications,” they noted.

How to Stay Protected

Researchers suggest regular software updates to mitigate the threat, reducing exposure to Linux servers, IoT devices, and the internet, closely monitoring network traffic, and using a properly configured firewall.

Also, remember to change the default login credentials of your IoT devices. Last but not the least, timely patching of internet-connected devices is essential to avoid becoming a victim of BotenaGo or other IoT botnets.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

Related Posts