Executive summary
AT&T Alien Labs™ has found new malware written in the open source programming language Golang. Deployed with more than 30 exploits, it has the potential of targeting millions of routers and IoT devices.
Key Takeaways:
- BotenaGo has more than 30 different exploit functions to attack a target.
- The malware creates a backdoor and waits to either receive a target to attack from a remote operator through port 19412 or from another related module running on the same machine.
- It is yet unclear which threat actor is behind the malware and number of infected devices.
Background
Golang (also known as Go) is an open-source programming language designed by Google and first published in 2007 that makes it easier for developers to build software.
According to a recent Intezer post, the Go programming language has dramatically increased in its popularity among malware authors in the last few years. The site suggests there has been a 2,000% increase in malware code written in Go being found in the wild.
Some of the reasons for its rising popularity relate to the ease of compiling the same code for different systems, making it easier for attackers to spread malware on multiple operating systems.
As of the publishing of this article, BotenaGo currently has low antivirus (AV) detection rate with only 6/62 known AVs seen in VirusTotal: (Figure 1)
Figure 1. VirusTotal scanning results of BotenaGo malware
Some AVs detect these new malware variants using Go as Mirai malware — the payload links do look similar. However, there is a difference between the Mirai malware and the new malware variants using Go, including differences in the language in which it is written and the malware architectures. Mirai is a botnet that initiates its communication with its command and control (C&C). It also has different DDoS functionality. The new malware strains Alien Labs has discovered do not have the same attack functions as Mirai malware, and the new strains only look for vulnerable systems to spread its payload. In addition, Mirai uses a “XOR table” to hold its strings and other data, as well as to decrypt them when needed — this is not the case for the new malware using Go. For this reason, Alien Labs believes this threat is new, and we have named it BotenaGo.
Analysis
The BotenaGo malware starts by initializing global infection counters that will be printed to the screen, informing the hacker about total successful infections.(Figure 2)
Figure 2. BotenaGo execution output
It then looks for the 'dlrs' folder in which to load shell scripts files. A loaded script will be concatenated as 'echo -ne %s >> '. If the 'dlrs' folder is missing, the malware will stop and exit at this point.
For the last and most important preparation, the malware calls the function 'scannerInitExploits', which initiates the malware attack surface by mapping all offensive functions with its relevant string that represent the targeted system.
The malware maps each function with a string that represents a potential targeted system — such as a signature, which we’ll explain later in this blog (see figure 3)
Figure 3. Mapping attack functions to relevant vulnerable systems
Exploit delivery
To deliver its exploit, the malware first queries the target with a simple “GET” request. It then searches the returned data from the “GET” request with each system signature that was mapped to attack functions (as seen in figure 3).
Figure 4. Example 1: Mapping function to the relevant system string signature
The string “Server: Boa/0.93.15” is mapped to the function “main_infectFunctionGponFiber,” (see figure 4) which attempts to exploit a vulnerable target, allowing the attacker to execute an OS command via a specific web request (CVE-2020-8958 as shown in figure 5).
Figure 5. Example 1: main_infectFunctionGponFiber function, exploits CVE-2020-8958
If we search the string "Server: Boa/0.93.15" in SHODAN, results show almost 2 million potential targets to this attack (see figure 6). Boa is a discontinued, open-source and small-footprint web server which is mostly suitable for embedded applications.
Figure 6. Example 1: Shodan search result for potential targets for specific function
Let's look on another example of a signature mapped to an attack function. We searched the string "Basic realm=\"Broadband Router\"" which is mapped to the function “m_infectFunctionComtrend” (see figure 7).
Figure 7. Example 2: mapping function to the relevant system string signature
A search on Shodan returns approximately 250,000 potential devices that could be attacked by this function ( see figure 8).
Figure 8. Example 2: Shodan search result for string
The function exploiting the vulnerability CVE-2020-10173 is shown in figure 9. In total, the malware initiates 33 exploit functions that are ready to infect potential victims.
Figure 9. Example 2: Function exploiting vulnerability CVE-2020-10173
Receiving directions from Command & Control
The malware can receive commands to target victims in two different ways:
- It creates two backdoor ports: 31412 and 19412. On port 19412 it will listen to receive the victim IP. Once a connection with information to that port is received, it will loop through mapped exploit functions and execute them with the given IP (see figure 10).
Figure 10. BotenaGo backdoor ports
2. The malware sets a listener to system IO (terminal) user input and can receive a target through it.
For example, if the malware is running locally on a virtual machine, a command can be sent through telnet. The target in figure 11 is a fake web server Alien Labs set up locally.
Figure 11. Sending the malware a target to attack
Using this information, we can see the results of some of the attacks with Wireshark (see figures 12 and 13).
Figure 12. Malware communication as seen in Wireshark
Figure 13. Malware communication as seen in Wireshark
The new BotenaGo malware exploits more than 30 vulnerabilities. Below, Alien Labs has listed some of the CVE numbers of vulnerabilities that can be exploited. In addition, some of the vulnerabilities have been disclosed without CVE.
|
Vulnerability |
Affected devices |
|
CVE-2020-8515 |
DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices |
|
CVE-2015-2051 |
D-Link DIR-645 Wired/Wireless Router Rev. Ax with firmware 1.04b12 and earlier |
|
CVE-2016-1555 |
Netgear WN604 before 3.3.3 and WN802Tv2, WNAP210v2, WNAP320, WNDAP350, WNDAP360, and WNDAP660 before 3.5.5.0 |
|
CVE-2017-6077 |
NETGEAR DGN2200 devices with firmware through 10.0.0.50 |
|
CVE-2016-6277 |
NETGEAR R6250 before 1.0.4.6.Beta, R6400 before 1.0.1.18.Beta, R6700 before 1.0.1.14.Beta, R6900, R7000 before 1.0.7.6.Beta, R7100LG before 1.0.0.28.Beta, R7300DST before 1.0.0.46.Beta, R7900 before 1.0.1.8.Beta, R8000 before 1.0.3.26.Beta, D6220, D6400, D7000 |
|
CVE-2018-10561, CVE-2018-10562 |
GPON home routers |
|
CVE-2013-3307 |
Linksys X3000 1.0.03 build 001 |
|
CVE-2020-9377 |
D-Link DIR-610 |
|
CVE-2016-11021 |
D-Link DCS-930L devices before 2.12 |
|
CVE-2018-10088 |
XiongMai uc-httpd 1.0.0 |
|
CVE-2020-10173 |
Comtrend VR-3033 DE11-416SSG-C01_R02.A2pvI042j1.d26m |
|
CVE-2013-5223 |
D-Link DSL-2760U Gateway |
|
CVE-2020-8958 |
Guangzhou 1GE ONU V2801RW 1.9.1-181203 through 2.9.0-181024 and V2804RGW 1.9.1-181203 through 2.9.0-181024 |
|
CVE-2019-19824 |
TOTOLINK Realtek SDK based routers, this affects A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, and N100RE through 3.4.0. |
|
CVE-2020-10987 |
Tenda AC15 AC1900 version 15.03.05.19 |
|
CVE-2020-9054 |
Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.2, Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2 |
|
CVE-2017-18368 |
ZyXEL P660HN-T1A v1 TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31 router distributed by TrueOnline |
|
CVE-2014-2321 |
ZTE F460 and F660 cable modems |
|
CVE-2017-6334 |
NETGEAR DGN2200 devices with firmware through 10.0.0.50 |
The payload
As payload, BotenaGo will execute remote shell commands on devices in which the vulnerability has been successfully exploited. Depending on the infected system, the malware uses different links, each with a different payload. At time of analysis, all the payloads had been removed from the hosted servers by the attacker(s), and so Alien Labs could not analyze any of them.
BotenaGo does not have any active communication to its C&C, which raises the question: how does it operate? Alien Labs has a few theories on how the malware is being operated and receives a target to attack (the attacker could be using one or a mix of the actions below):
- The malware is part of a "malware suite" and BotenaGo is only one module of infection in an attack. In this case, there should be another module either operating BotenaGo (by sending targets) or just updating the C&C with a new victim’s IP.
- The links used for the payload on a successful attack imply a connection with Mirai malware. It could be the BotenaGo is a new tool used by Mirai operators on specific machines that are known to them, with the attacker(s) operating the infected end-point with targets.
- This malware is still in beta phase and has been accidently leaked.
Recommended actions
- Maintain your software with the latest security updates.
- Ensure minimal exposure to the Internet on Linux servers and IoT devices and use a properly configured firewall.
- Monitor network traffic, outbound port scans, and unreasonable bandwidth usage.
Conclusion
Malware authors continue to create new techniques for writing malware and upgrading its capabilities. In this case, new malware writing in Golang (which Alien Labs has named BotenaGo) can run as a botnet on different OS platforms with small modifications.
Detection methods
The following associated detection methods are in use by Alien Labs. They can be used by readers to tune or deploy detections in their own environments or for aiding additional research.
|
SURICATA IDS SIGNATURES |
|
4001488: AV TROJAN Mirai Outbound Exploit Scan, D-Link HNAP RCE (CVE-2015-2051) |
|
4000456: AV EXPLOIT Netgear Device RCE (CVE-2016-1555) |
|
4000898: AV EXPLOIT Netgear DGN2200 ping.cgi - Possible Command Injection ( CVE-2017-6077 ) |
|
2027093: ET EXPLOIT Possible Netgear DGN2200 RCE (CVE-2017-6077) |
|
2027881: ET EXPLOIT NETGEAR R7000/R6400 - Command Injection Inbound (CVE-2019-6277) |
|
2027882: ET EXPLOIT NETGEAR R7000/R6400 - Command Injection Outbound (CVE-2019-6277) |
|
2830690: ETPRO EXPLOIT GPON Authentication Bypass Attempt (CVE-2018-10561) |
|
2027063: ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) |
|
2830690: ETPRO EXPLOIT GPON Authentication Bypass Attempt (CVE-2018-10561) |
|
2027063: ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) |
|
2831296: ETPRO EXPLOIT XiongMai uc-httpd RCE (CVE-2018-10088) |
|
4001914: AV EXPLOIT DrayTek Unauthenticated root RCE (CVE-2020-8515) |
|
2029804: ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Outbound (CVE-2020-8515) M1 |
|
2029805: ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Inbound (CVE-2020-8515) M1 |
|
2029806: ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Outbound (CVE-2020-8515) M2 |
|
2029807: ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Inbound (CVE-2020-8515) M2 |
|
4002119: AV EXPLOIT Comtrend Router ping.cgi RCE (CVE-2020-10173) |
|
2030502: ET EXPLOIT Possible Authenticated Command Injection Inbound - Comtrend VR-3033 (CVE-2020-10173) |
|
4001814: AV EXPLOIT TOTOLINK Router PostAuth RCE (CVE-2019-19824) |
|
2029616: ET EXPLOIT Zyxel NAS RCE Attempt Inbound (CVE-2020-9054) M1 |
|
2029617: ET EXPLOIT Zyxel NAS RCE Attempt Inbound (CVE-2020-9054) M2 |
|
4001142: AV EXPLOIT ManagedITSync - Kaseya exploitation (CVE-2017-18362) v1 |
|
4001143: AV EXPLOIT ManagedITSync - Kaseya exploitation (CVE-2017-18362) v2 |
|
2032077: ET EXPLOIT ZTE Cable Modem RCE Attempt (CVE-2014-2321) |
|
4000897: AV EXPLOIT Netgear DGN2200 dnslookup.cgi Lookup - Possible Command Injection (CVE-2017-6334) |
|
2027094: ET EXPLOIT Possible Netgear DGN2200 RCE (CVE-2017-6334) |
Associated indicators (IOCs)
The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the OTX Pulse. Please note, the pulse may include other activities related but out of the scope of the report.
|
TYPE |
INDICATOR |
DESCRIPTION |
|
SHA256 |
0c395715bfeb8f89959be721cd2f614d2edb260614d5a21e90cc4c142f5d83ad |
BotenaGo malware hash |
|
URL |
http://107[.]172.30.215/shell/wget.sh |
Malware payload download link |
|
URL |
http://rippr[.]cc/u
|
Malware payload download link |
|
URL |
http://107[.]172.30.215/b |
Malware payload download link |
|
URL |
http://37[.]0.11.220/g+-O- |
Malware payload download link |
|
URL |
http://107[.]172.30.215/l |
Malware payload download link |
|
URL |
http://107[.]172.30.215/a/wget.sh |
Malware payload download link |
|
URL |
http://107[.]172.30.215/multi/wget.sh |
Malware payload download link |
|
URL |
http://107[.]172.30.215/arm/arm5/arm7/i586/i686/m68k/mips/mipsel/powerpc/sh4/sparc/x86_64bot.mips |
Malware payload download link |
|
URL |
http://107[.]172.30.215/arm/arm5/arm7/i586/i686/m68k/mips/mipsel/powerpc/sh4/sparc/x86_64bot.arm7 |
Malware payload download link |
|
URL |
http://37[.]0.11.220/a/wget.sh |
Malware payload download link |
Mapped to MITRE ATT&CK
The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:
- TA0008: Lateral Movement
- T1210: Exploitation of Remote Services
- T1570: Lateral Tool Transfer
- TA0011: Command and Control
- T1571: Non-Standard port
