Threat Actors Using Go-based HinataBot to launch DDoS Attacks

Threat Actors Using Go-based HinataBot to launch DDoS Attacks

HinataBot can launch Distributed Denial of Service (DDoS) attacks reaching 3.3 TBPS.

The botnet is based on the Mirai botnet, and since it is actively updated, the new versions have additional features like functional improvements and anti-analysis.

Akamai’s Security Intelligence Response Team (SIRT) cybersecurity researchers have discovered a brand-new botnet, dubbed HinataBot. This botnet can launch DDoS attacks of up to several terabytes in volume. Its distribution started earlier in 2023 and is still ongoing.

New Botnet can Launch DDoS Attacks of 3.3 TBPS

Akamai’s research report read that HinataBot can launch Distributed Denial of Service (DDoS) attacks reaching 3.3 TBPS. It is a Go-based botnet named after a character from the famous anime series, Naruto. While researching, Akamai’s honeypots detected this botnet as it tried to exploit old vulnerabilities, including CVE-2017-17215 and CVE-2014-8361.

The flaws impact Realtek SDS, Hadoop Yarn servers, and Huawei routers. To exploit these flaws, attackers use brute force, RCE payloads, and infection scripts. HinataBot evidence was found in Akamai’s SSH and HTTP honeypots, but researchers believe malware authors are actively updating it.

What Makes Hinata Different?

The researchers imitated the attackers’ C2 server with a range of reverse engineering techniques and simulated attacks to get a deeper understanding of the malware functionalities and its unique attributes. They learned that previously DDoS flooding attacks were launched over multiple protocols.

But, the recently discovered HinataBot uses only HTTP and UDP flooding techniques. Attackers exploit the miniigd SOAP service on Realtek SDK with CVE-2014-8361, exposed Hadoop YARN servers with an unspecified flaw, and Huawei HG532 routers with CVE-2017-17215.

Attack Volume

Akami noted that HinataBot’s DDoS attack’s packet size for HTTP reached 484 to 589 bytes whereas, for UDP packets, the size was considerably large at 65,549 bytes. It may seem low but could cause sufficient digital destruction for the targets.

Akamai, however, noted that the malware could generate over 20,000 requests and reach 3.4 MB whereas, with a thousand nodes, the attack data volume may reach 3.3 TBPS.

Threat Actors Distributing Mirai Binaries

Further probe revealed that the threat actors operating HinataBot distributed Mirai binaries. There are several nods to the open-source, Go-based botnet.

“HinataBot is the newest in the ever-growing list of emerging Go-based threats that includes botnets such as GoBruteForcer and the recently discovered (by SIRT) kmsdbot,” Akamai researchers noted.

The malware is based on the Mirai botnet, and since it is actively updated, the new versions have additional features like functional improvements and anti-analysis. Its previous versions supported UDP, HTTP, TCP, and ICMP floods, but the new version only supports UDP and HTTP.

  1. Akamai Mitigated Record-Breaking DDoS Attack
  2. RapperBot hits gaming servers with DDoS attacks
  3. Tor Network Hit By a Series of Ongoing DDoS Attacks
Related Posts