AT&T Alien Labs finds new Golang malware (BotenaGo) targeting millions of routers and IoT devices with more than 30 exploits

November 11, 2021 | Ofer Caspi

Executive summary

AT&T Alien Labs™  has found new malware written in the open source programming language Golang. Deployed with more than 30 exploits, it has the potential of targeting millions of routers and IoT devices.

Key Takeaways:

  • BotenaGo has more than 30 different exploit functions to attack a target.
  • The malware creates a backdoor and waits to either receive a target to attack from a remote operator through port 19412 or from another related module running on the same machine.
  • It is yet unclear which threat actor is behind the malware and number of infected devices.

Background

Golang (also known as Go) is an open-source programming language designed by Google and first published in 2007 that makes it easier for developers to build software.

According to a recent Intezer post, the Go programming language has dramatically increased in its popularity among malware authors in the last few years. The site suggests there has been a 2,000% increase in malware code written in Go being found in the wild.

Some of the reasons for its rising popularity relate to the ease of compiling the same code for different systems, making it easier for attackers to spread malware on multiple operating systems.

As of the publishing of this article, BotenaGo currently has low antivirus (AV) detection rate with only 6/62 known AVs seen in VirusTotal: (Figure 1)

 Botenago in VT

Figure 1. VirusTotal scanning results of BotenaGo malware

Some AVs detect these new malware variants using Go as Mirai malware — the payload links do look similar. However, there is a difference between the Mirai malware and the new malware variants using Go, including differences in the language in which it is  written and the malware architectures. Mirai is a botnet that initiates its communication with its command and control (C&C). It also has different DDoS functionality. The new malware strains Alien Labs has discovered do not have the same attack functions as Mirai malware, and the new strains only look for vulnerable systems to spread its payload. In addition, Mirai uses a “XOR table” to hold its strings and other data, as well as to decrypt them when needed — this is not the case for the new malware using Go. For this reason, Alien Labs believes this threat is new, and we have named it BotenaGo.

Analysis

The BotenaGo malware starts by initializing global infection counters that will be printed to the screen, informing the hacker about total successful infections.(Figure 2)

BotenaGo analysis

Figure 2. BotenaGo execution output

It then looks for the 'dlrs' folder in which to load shell scripts files. A loaded script will be concatenated as 'echo -ne %s >> '. If the 'dlrs' folder is missing, the malware will stop and exit at this point.

For the last and most important preparation, the malware calls the function 'scannerInitExploits', which initiates the malware attack surface by mapping all offensive functions with its relevant string that represent the targeted system.

The malware maps each function with a string that represents a potential targeted system — such as a signature, which we’ll explain later in this blog (see figure 3)

Mapping attack functions

Figure 3. Mapping attack functions to relevant vulnerable systems

Exploit delivery

To deliver its exploit, the malware first queries the target with a simple “GET” request. It then searches the returned data from the “GET” request with each system signature that was mapped to attack functions (as seen in figure 3).

BotenaGo mapping

Figure 4. Example 1: Mapping function to the relevant system string signature

The string “Server: Boa/0.93.15” is mapped to the function “main_infectFunctionGponFiber,” (see figure 4) which attempts to exploit a vulnerable target, allowing the attacker to execute an OS command via a specific web request (CVE-2020-8958 as shown in figure 5).

BotenaGo function

Figure 5. Example 1: main_infectFunctionGponFiber function, exploits CVE-2020-8958

If we search the string "Server: Boa/0.93.15" in SHODAN, results show almost 2 million potential targets to this attack (see figure 6). Boa is a discontinued, open-source and small-footprint web server which is mostly suitable for embedded applications.

BotenaGo Shodan

Figure 6. Example 1: Shodan search result for potential targets for specific function

 Let's look on another example of a signature mapped to an attack function. We searched the string "Basic realm=\"Broadband Router\"" which is mapped to the function “m_infectFunctionComtrend” (see figure 7).

map string

Figure 7. Example 2: mapping function to the relevant system string signature

A search on Shodan returns approximately 250,000 potential devices that could be attacked by this function ( see figure 8). 

BotenaGo in Shodan

Figure 8. Example 2: Shodan search result for string

 The function exploiting the vulnerability CVE-2020-10173 is shown in figure 9. In total, the malware initiates 33 exploit functions that are ready to infect potential victims.

BotenaGo exploit 

Figure 9. Example 2: Function exploiting vulnerability CVE-2020-10173

Receiving directions from Command & Control

The malware can receive commands to target victims in two different ways:

  1. It creates two backdoor ports: 31412 and 19412. On port 19412 it will listen to receive the victim IP. Once a connection with information to that port is received, it will loop through mapped exploit functions and execute them with the given IP (see figure 10).

BotenaGo CC

Figure 10. BotenaGo backdoor ports

       2. The malware sets a listener to system IO (terminal) user input and can receive a target through it.

For example, if the malware is running locally on a virtual machine, a command can be sent through telnet. The target in figure 11 is a fake web server Alien Labs set up locally.

Sending BotenaGo

Figure 11. Sending the malware a target to attack

Using this information, we can see the results of some of the attacks with Wireshark (see figures 12 and 13).

BotenaGo in Wireshark

Figure 12. Malware communication as seen in Wireshark

Communication in Wireshark

Figure 13. Malware communication as seen in Wireshark

The new BotenaGo malware exploits more than 30 vulnerabilities. Below, Alien Labs has listed some of the CVE numbers of vulnerabilities that can be exploited. In addition, some of the vulnerabilities have been disclosed without CVE.

Vulnerability

 Affected devices

CVE-2020-8515

DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices

CVE-2015-2051

D-Link DIR-645 Wired/Wireless Router Rev. Ax with firmware 1.04b12 and earlier

CVE-2016-1555

Netgear WN604 before 3.3.3 and WN802Tv2, WNAP210v2, WNAP320, WNDAP350, WNDAP360, and WNDAP660 before 3.5.5.0

CVE-2017-6077

NETGEAR DGN2200 devices with firmware through 10.0.0.50

CVE-2016-6277

NETGEAR R6250 before 1.0.4.6.Beta, R6400 before 1.0.1.18.Beta, R6700 before 1.0.1.14.Beta, R6900, R7000 before 1.0.7.6.Beta, R7100LG before 1.0.0.28.Beta, R7300DST before 1.0.0.46.Beta, R7900 before 1.0.1.8.Beta, R8000 before 1.0.3.26.Beta, D6220, D6400, D7000

CVE-2018-10561, CVE-2018-10562

GPON home routers

CVE-2013-3307

Linksys X3000 1.0.03 build 001

CVE-2020-9377

D-Link DIR-610

CVE-2016-11021

D-Link DCS-930L devices before 2.12

CVE-2018-10088

XiongMai uc-httpd 1.0.0

CVE-2020-10173

Comtrend VR-3033 DE11-416SSG-C01_R02.A2pvI042j1.d26m

CVE-2013-5223

D-Link DSL-2760U Gateway

CVE-2020-8958

Guangzhou 1GE ONU V2801RW 1.9.1-181203 through 2.9.0-181024 and V2804RGW 1.9.1-181203 through 2.9.0-181024

CVE-2019-19824

TOTOLINK Realtek SDK based routers, this affects A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, and N100RE through 3.4.0.

CVE-2020-10987

Tenda AC15 AC1900 version 15.03.05.19

CVE-2020-9054

Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.2, Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2

CVE-2017-18368

ZyXEL P660HN-T1A v1 TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31 router distributed by TrueOnline

CVE-2014-2321

ZTE F460 and F660 cable modems

CVE-2017-6334

 NETGEAR DGN2200 devices with firmware through 10.0.0.50

The payload

As payload, BotenaGo will execute remote shell commands on devices in which the vulnerability has been successfully exploited. Depending on the infected system, the malware uses different links, each with a different payload.  At time of analysis, all the payloads had been removed from the hosted servers by the attacker(s), and so Alien Labs could not analyze any of them.

BotenaGo does not have any active communication to its C&C, which raises the question: how does it operate? Alien Labs has a few theories on how the malware is being operated and receives a target to attack (the attacker could be using one or a mix of the actions below):

  1. The malware is part of a "malware suite" and BotenaGo is only one module of infection in an attack. In this case, there should be another module either operating BotenaGo (by sending targets) or just updating the C&C with a new victim’s IP.
  2. The links used for the  payload on a successful attack imply a connection with Mirai malware. It could be the BotenaGo is a new tool used by Mirai operators on specific machines that are known to them, with the attacker(s) operating the infected end-point with targets.
  3. This malware is still in beta phase and has been accidently leaked.

Recommended actions

  1. Maintain your software with the latest security updates.
  2. Ensure minimal exposure to the Internet on Linux servers and IoT devices and use a properly configured firewall.
  3. Monitor network traffic, outbound port scans, and unreasonable bandwidth usage.

Conclusion

Malware authors continue to create new techniques for writing malware and upgrading its capabilities. In this case, new malware writing in Golang (which Alien Labs has named BotenaGo) can run as a botnet on different OS platforms with small modifications.

Detection methods

The following associated detection methods are in use by Alien Labs. They can be used by readers to tune or deploy detections in their own environments or for aiding additional research.

SURICATA IDS SIGNATURES

4001488: AV TROJAN Mirai Outbound Exploit Scan, D-Link HNAP RCE (CVE-2015-2051)

4000456: AV EXPLOIT Netgear Device RCE (CVE-2016-1555)

4000898: AV EXPLOIT Netgear DGN2200 ping.cgi - Possible Command Injection ( CVE-2017-6077 )

2027093: ET EXPLOIT Possible Netgear DGN2200 RCE (CVE-2017-6077)

2027881: ET EXPLOIT NETGEAR R7000/R6400 - Command Injection Inbound (CVE-2019-6277)

2027882: ET EXPLOIT NETGEAR R7000/R6400 - Command Injection Outbound (CVE-2019-6277)

2830690: ETPRO EXPLOIT GPON Authentication Bypass Attempt (CVE-2018-10561)

2027063: ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561)

2830690: ETPRO EXPLOIT GPON Authentication Bypass Attempt (CVE-2018-10561)

2027063: ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561)

2831296: ETPRO EXPLOIT XiongMai uc-httpd RCE (CVE-2018-10088)

4001914: AV EXPLOIT DrayTek Unauthenticated root RCE (CVE-2020-8515)

2029804: ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Outbound (CVE-2020-8515) M1

2029805: ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Inbound (CVE-2020-8515) M1

2029806: ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Outbound (CVE-2020-8515) M2

2029807: ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Inbound (CVE-2020-8515) M2

4002119: AV EXPLOIT Comtrend Router ping.cgi RCE (CVE-2020-10173)

2030502: ET EXPLOIT Possible Authenticated Command Injection Inbound - Comtrend VR-3033 (CVE-2020-10173)

4001814: AV EXPLOIT TOTOLINK Router PostAuth RCE (CVE-2019-19824)

2029616: ET EXPLOIT Zyxel NAS RCE Attempt Inbound (CVE-2020-9054) M1

2029617: ET EXPLOIT Zyxel NAS RCE Attempt Inbound (CVE-2020-9054) M2

4001142: AV EXPLOIT ManagedITSync - Kaseya exploitation (CVE-2017-18362) v1

4001143: AV EXPLOIT ManagedITSync - Kaseya exploitation (CVE-2017-18362) v2

2032077: ET EXPLOIT ZTE Cable Modem RCE Attempt (CVE-2014-2321)

4000897: AV EXPLOIT Netgear DGN2200 dnslookup.cgi Lookup - Possible Command Injection (CVE-2017-6334)

2027094: ET EXPLOIT Possible Netgear DGN2200 RCE (CVE-2017-6334)

Associated indicators (IOCs)

The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the OTX Pulse. Please note, the pulse may include other activities related but out of the scope of the report.

TYPE

INDICATOR

DESCRIPTION

SHA256

0c395715bfeb8f89959be721cd2f614d2edb260614d5a21e90cc4c142f5d83ad

BotenaGo malware hash

URL

http://107[.]172.30.215/shell/wget.sh

Malware payload download link

URL

http://rippr[.]cc/u

 

Malware payload download link

URL

http://107[.]172.30.215/b

Malware payload download link

URL

http://37[.]0.11.220/g+-O-

Malware payload download link

URL

http://107[.]172.30.215/l

Malware payload download link

URL

http://107[.]172.30.215/a/wget.sh

Malware payload download link

URL

http://107[.]172.30.215/multi/wget.sh

Malware payload download link

URL

http://107[.]172.30.215/arm/arm5/arm7/i586/i686/m68k/mips/mipsel/powerpc/sh4/sparc/x86_64bot.mips

Malware payload download link

URL

http://107[.]172.30.215/arm/arm5/arm7/i586/i686/m68k/mips/mipsel/powerpc/sh4/sparc/x86_64bot.arm7

Malware payload download link

URL

http://37[.]0.11.220/a/wget.sh

Malware payload download link

Mapped to MITRE ATT&CK

The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:

  • TA0008: Lateral Movement
    • T1210: Exploitation of Remote Services
    • T1570: Lateral Tool Transfer
  • TA0011: Command and Control
    • T1571: Non-Standard port
Ofer Caspi

About the Author: Ofer Caspi

Ofer is a Security Researcher at Alien Labs, part of the AT&T Cybersecurity. He can be found on LinkedIn and Twitter (@ShablolForce)

Read more posts from Ofer Caspi ›

‹ BACK TO ALL BLOGS

Get price Free trial