Researchers at AT&T discovered a new BotenaGo botnet that is using thirty three exploits to target millions of routers and IoT devices.
BotenaGo is a new botnet discovered by researchers at AT&T that leverages thirty three exploits to target millions of routers and IoT devices.
Below is the list of exploits used by the bot:
|CVE-2020-8515||DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 184.108.40.206_Beta, and 1.4.4_Beta devices|
|CVE-2015-2051||D-Link DIR-645 Wired/Wireless Router Rev. Ax with firmware 1.04b12 and earlier|
|CVE-2016-1555||Netgear WN604 before 3.3.3 and WN802Tv2, WNAP210v2, WNAP320, WNDAP350, WNDAP360, and WNDAP660 before 220.127.116.11|
|CVE-2017-6077||NETGEAR DGN2200 devices with firmware through 10.0.0.50|
|CVE-2016-6277||NETGEAR R6250 before 18.104.22.168.Beta, R6400 before 22.214.171.124.Beta, R6700 before 126.96.36.199.Beta, R6900, R7000 before 188.8.131.52.Beta, R7100LG before 184.108.40.206.Beta, R7300DST before 220.127.116.11.Beta, R7900 before 18.104.22.168.Beta, R8000 before 22.214.171.124.Beta, D6220, D6400, D7000|
|CVE-2018-10561, CVE-2018-10562||GPON home routers|
|CVE-2013-3307||Linksys X3000 1.0.03 build 001|
|CVE-2016-11021||D-Link DCS-930L devices before 2.12|
|CVE-2018-10088||XiongMai uc-httpd 1.0.0|
|CVE-2020-10173||Comtrend VR-3033 DE11-416SSG-C01_R02.A2pvI042j1.d26m|
|CVE-2013-5223||D-Link DSL-2760U Gateway|
|CVE-2020-8958||Guangzhou 1GE ONU V2801RW 1.9.1-181203 through 2.9.0-181024 and V2804RGW 1.9.1-181203 through 2.9.0-181024|
|CVE-2019-19824||TOTOLINK Realtek SDK based routers, this affects A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, and N100RE through 3.4.0.|
|CVE-2020-10987||Tenda AC15 AC1900 version 15.03.05.19|
|CVE-2020-9054||Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.2, Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2|
|CVE-2017-18368||ZyXEL P660HN-T1A v1 TCLinux Fw $126.96.36.199 v001 / 3.40(ULM.0)b31 router distributed by TrueOnline|
|CVE-2014-2321||ZTE F460 and F660 cable modems|
|CVE-2017-6334||NETGEAR DGN2200 devices with firmware through 10.0.0.50|
BotenaGo was written in Golang (Go) and at the time of the report published by the experts, it had a low antivirus (AV) detection rate (6/62).
“To deliver its exploit, the malware first queries the target with a simple “GET” request. It then searches the returned data from the “GET” request with each system signature that was mapped to attack functions.” reads the analysis published by AT&T.
“The string “Server: Boa/0.93.15” is mapped to the function “main_infectFunctionGponFiber,” which attempts to exploit a vulnerable target, allowing the attacker to execute an OS command via a specific web request (CVE-2020-8958).”
The botnet targets millions of devices with functions that exploit the above flaws, for example querying Shodan for the string Boa, which is a discontinued open-source web server used in embedded applications, it returns nearly two million devices.
Once installed, the bot malware will listen on the ports 31412 and 19412, the latter is used to receive the victim IP.
Once a connection with information to that port is received, it will loop through mapped exploit functions and execute them with the given IP.
The BotenaGo will execute remote shell commands on compromised devices, depending on the infected system, the bot uses different links associated with different payloads. Alien Labs could not analyze any of payloads because they were no more available on the hosting server.
The researchers didn’t find an active C2 communication between BotenaGo and C2 server, these are possible scenarios hypothesized by the experts:
- The malware is part of a “malware suite” and BotenaGo is only one module of infection in an attack. In this case, there should be another module either operating BotenaGo (by sending targets) or just updating the C&C with a new victim’s IP.
- The links used for the payload on a successful attack imply a connection with Mirai malware. It could be the BotenaGo is a new tool used by Mirai operators on specific machines that are known to them, with the attacker(s) operating the infected end-point with targets.
- This malware is still in beta phase and has been accidently leaked.
Researchers provided the indicators of compromise associated with these attacks, they speculate the malware could be enhanced integrating new exploits.
(SecurityAffairs – hacking, BotenaGo)