“BotenaGo” contains exploits for more than 30 vulnerabilities in multiple vendor products and is being used to spread Mirai botnet malware, security vendor says.
The authors of a dangerous malware sample targeting millions of routers and Internet of Things (IoT) devices have uploaded its source code to GitHub, meaning other criminals can now quickly spin up new variants of the tool or use it as is, in their own attack campaigns.
Researchers at AT&T Alien Labs first spotted the malware last November and named it “BotenaGo.” The malware is written in Go — a programming language that has become quite popular among malware authors. It comes packed with exploits for more than 30 different vulnerabilities in products from multiple vendors, including Linksys, D-Link, Netgear, and ZTE.
BotenaGo is designed to execute remote shell commands on systems where it has successfully exploited a vulnerability. An analysis that Alien Labs conducted last year when it first spotted the malware showed BotenaGo using two different methods to receive commands for targeting victims. One of them involved two backdoor ports for listening to and receiving the IP addresses of target devices, and the other involved setting a listener to system I/O user input and receiving target information through it.
Researchers at Alien Labs discovered that while the malware is designed to receive commands from a remote server, it does not have any active command-and-control communication. This led the security vendor to surmise at the time that BotenaGo was part of a broader malware suite and likely one of multiple tools in an infection chain. The security vendor also found that BotenaGo’s payload links were similar to the ones used by the operators of the infamous Mirai botnet malware. This led Alien Labs to theorize that BotenaGo was a new tool that the operators of Mirai are using to target specific machines that are known to them. Read more: https://bit.ly/3KRr8g8