The authors of a dangerous malware sample targeting millions of routers and Internet of Things (IoT) devices have uploaded its source code to GitHub, meaning other criminals can now quickly spin up new variants of the tool or use it as is, in their own attack campaigns.
Researchers at AT&T Alien Labs first spotted the malware last November and named it "BotenaGo." The malware is written in Go — a programming language that has become quite popular among malware authors. It comes packed with exploits for more than 30 different vulnerabilities in products from multiple vendors, including Linksys, D-Link, Netgear, and ZTE.
BotenaGo is designed to execute remote shell commands on systems where it has successfully exploited a vulnerability. An analysis that Alien Labs conducted last year when it first spotted the malware showed BotenaGo using two different methods to receive commands for targeting victims. One of them involved two backdoor ports for listening to and receiving the IP addresses of target devices, and the other involved setting a listener to system I/O user input and receiving target information through it.
Researchers at Alien Labs discovered that while the malware is designed to receive commands from a remote server, it does not have any active command-and-control communication. This led the security vendor to surmise at the time that BotenaGo was part of a broader malware suite and likely one of multiple tools in an infection chain. The security vendor also found that BotenaGo's payload links were similar to the ones used by the operators of the infamous Mirai botnet malware. This led Alien Labs to theorize that BotenaGo was a new tool that the operators of Mirai are using to target specific machines that are known to them.
IoT Devices and Routers Hit
For reasons that are unclear, the unknown author of the malware recently made BotenaGo's source code publicly available through GitHub. The move could potentially result in a significant increase in BotenaGo variants as other malware authors use and adapt the source code for their specific purposes and attack campaigns, Alien Labs said in a blog this week. The company said it has observed new samples of BotenaGo surface and in use to spread Mirai botnet malware on IoT devices and routers. One of BotenaGo's payload servers is also in the list of indicators of compromise for the recently discovered Log4j vulnerabilities.
The BotenaGo malware consists of just 2,891 lines of code, making it a potentially good starting point for several new variants. The fact that it comes packed with exploits for more than 30 vulnerabilities in multiple routers and IoT devices is another factor that malware authors are likely to consider appealing. The many vulnerabilities that BotenaGo can exploit include CVE-2015-2051 in certain D-Link wireless routers, CVE-2016-1555 impacting Netgear products, CVE-2013-3307 on Linksys devices, and CVE-2014-2321 that impacts certain ZTE cable modem models.
"Alien Labs expects to see new campaigns based on BotenaGo variants targeting routers and IoT devices globally," said Alien Labs malware researcher Ofer Caspi, in the previously mentioned blog post. "As of the publishing of this article, antivirus (AV) vendor detection for BotenaGo and its variants remains behind with very low detection coverage from most of AV vendors."
According to Alien Labs, just three out of 60 AV on VirusTotal are currently capable of detecting the malware.
The company compared the move to the one Mirai's authors made back in 2016, when they uploaded the source code for the malware to a hacking community forum. The code release resulted in the development of numerous Mirai variants, such as Satori, Moobot, and Masuta, that have accounted for millions of IoT device infections. The Mirai code release resulted in variants with unique functionality, new capabilities, and new exploits.