New Go-based botnet discovered under active development (3rd May 2023)

Ref# AL2023_24 | Date: May 3rd 2023

Description  

A new Go-based botnet called HinataBot was discovered targeting specific devices and recruiting them into a botnet swarm capable of potentially massive DDoS attacks. 

Details 

Researchers at Akamai discovered this new botnet HinataBot early in 2023 after observing it exploit dated vulnerabilities on their HTTP and SSH honeypots. It was seen targeting Realtek SDK devices (CVE-2014-8361), Huawei HG532 routers (CVE-2017-17215), and exposed Hadoop YARN servers (CVE N/A). HinataBot is written in the popular Go language since threat actors benefit from its high performance, ease of multi-threading and multiple architecture and operating system support. Upon examining its code, researchers established that HinataBot is most likely a Go-based variant of the notorious Mirai Botnet. Interestingly, the researchers also found that the threat actors operating HinataBot initially distributed Mirai binaries. Recent samples of the malware show that it is under active development to improve performance and include additional features. 

The HinataBot is distributed by brute forcing weak SSH endpoints or use of infection scripts and RCE vulnerability exploits. The HinataBot payload is then installed and runs in the background of the infected device, established communication with its command-and-control server and awaits instructions.         

The researchers created their own C2 server and manage to interact and simulate the DDoS attack to deduce the malwares capabilities. They tested both an old sample captured in January and a recent sample in March. They found that the older samples of HinataBot supported HTTP, UDP, ICMP, and TCP floods while the newer samples only supported HTTP and UDP. Looking at the HTTP and UDP commands, both protocols generate a pool of 512 processes that send hardcoded data packets to a desired target for a defined period. The HTTP packet size falls in the ranges between 484 to 589 bytes while the UDP packet size is much larger, consisting of 65549 bytes. That said, the HTTP flood intends on generating large volumes of requests while the UDP flood aims at sending large volumes of null traffic to the target.  

The researchers stimulated a single botnet attack in 10-second frame for both HTTP and UDP commands, where the HTTP flood generated 20,430 requests for a total size of 3.4 MB and the UDP flood generated 6,733 requests totaling 421 MB of data. Therefore, the researchers have estimated that with 1000 botnet devices on commands, threat actors can generate roughly 336 Gbps traffic in a UDP flood and 2.7 Gbps with over 2 million requests in a HTTP flood. Additionally, if we say 10,000 botnets were recruited, UDP flood can generate more than 3.3 Tbps of traffic while HTTP floods can generate over 20.4 million requests, amounting to 27 Gbps.  

IOCs 

See the reference below for list of YARA rules, Snort rules, IP addresses, ports, CVEs, and hashes associated with HinataBot: https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet  

Remediation 

Here are some tips to safeguard yourself against botnet a potential botnet infection: 

  1. Use complex and long passwords to make brute force attacks unsuccessful. 

  1. Patch and update all devices to their latest stable version to avoid the exploitation of vulnerabilities to gain access to your device. 

  1. Be wary of email attachment and suspicious links as both can be malicious as deliver a malware payload if clicked or opened. 

  1. Having an effective anti-virus solution on your device can help protect it against malware and other threats. 

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.     

PDF Download: New Go-based botnet discovered.pdf

References