IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Millions of routers and NAS devices vulnerable to BotenaGo malware

The malware takes advantage of 33 different exploits to attack routers and IoT devices

Security researchers have discovered malware written in the Go language that puts millions of routers, NAS and Internet of things (IoT) devices at risk.

The malware takes advantage of 33 different exploits to attack routers and IoT devices, according to researchers at AT&T Cybersecurity.

Researchers do not currently know the identify of the cyber criminal group behind the malware. They added that, according to Intezer,  Go language among malware found in the wild has increased by 2,000% in recent years.

The malware, dubbed BotenaGo, creates a backdoor and waits to either receive a target to attack from a remote operator through port 19412 or from another related module running on the same machine.

The detection rate is still poor at the time of publication - 28 of 61 scanners on VirusTotal detected the malware. Since the links to the payload were like those of the Mirai malware, some scanners recognize the malware as a variant of it.

However, researchers noted that the new malware only look for vulnerable systems to spread its payload.

“In addition, Mirai uses an “XOR table” to hold its strings and other data, as well as to decrypt them when needed — this is not the case for the new malware using Go. For this reason, Alien Labs believes this threat is new, and we have named it BotenaGo,” said researchers.

Related Resource

Multi-factor authentication deployment guide

A complete guide to selecting and deploying your MFA authentication guide

The whitepaper title on a strip of swirling blue and purple diagonal across the pageFree download

In operation, the malware looks for a specific directory to attach itself to scripts and terminates itself if the directory does not exist. If it continues, the malware then searches for vulnerable functions using certain character strings — a kind of signature scan. These strings can be version reports from servers, which BotenaGo can use to identify a vulnerable function and use a suitable exploit against it.

Researchers said as BotenaGo does not have any active communication to its C&C, it raises the question, how does it operate?

Researchers speculated the malware is part of a "malware suite" and BotenaGo is only one module of infection in an attack. “In this case, there should be another module either operating BotenaGo (by sending targets) or just updating the C&C with a new victim’s IP,” they said.

They added it may be a Mirai successor, with the operators targeting known IPs infected with Mirai. The third possibility would be it was an accidental leak from beta malware.

Researchers recommended anyone with affected devices install the latest security updates and ensure minimal exposure to the internet on Linux servers and IoT devices and use a properly configured firewall. Admins should also monitor network traffic, outbound port scans, and any unreasonable bandwidth usage.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Dell Technologies World 2022: Dell unveils fastest storage architecture in company history
Server & storage

Dell Technologies World 2022: Dell unveils fastest storage architecture in company history

4 May 2022
Dell Technologies World 2022: Dell unveils security offerings for major cloud providers
public cloud

Dell Technologies World 2022: Dell unveils security offerings for major cloud providers

3 May 2022
How do you become an ethical hacker?
ethical hacking

How do you become an ethical hacker?

29 Apr 2022
What is phishing?
phishing

What is phishing?

29 Apr 2022

Most Popular

Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
How full-stack observability can accelerate IT innovation
Sponsored

How full-stack observability can accelerate IT innovation

3 May 2022