The source code of a dangerous strain of malware that encompasses more than 30 exploits for various routers and IOT devices has recently surfaced on Github, placing millions of devices at risk.
Security experts say that releasing the code on Github could lead to an increase in cyberattacks, as threat actors could easily use it in their own attack campaigns or create new malware strains based on it.
AT&T Alien Labs first spotted the malware, called BotenaGo, last November. The malware, written in Google’s Golang (Go) open-source programming language, can help attackers execute remote shell commands on compromised systems.
BotenaGo hosts more than 30 vulnerability exploits for vendors such as D-Link, Netgear, Linksys and Tenda. The malware receives commands for targeting victims in two different ways, an Alien Labs analysis shows.
In one scenario, the malware creates two backdoor ports to listen and receive the target’s IP address, while the other involves deploying a listener to the system I/O input and using it to receive target intel.
Upon discovery, researchers pointed out that, although the malware can receive commands remotely, it lacks a command and control (C&C) infrastructure. However, things seem to have changed, as one new BotenaGo variant is designed to use a C&C server, according to an Alien Labs report.
Reportedly, BotenaGo’s payload links were similar to those used by Mirai botnet malware operators, which led researchers to believe that Mirai threat actors use BotenaGo to target known, vulnerable devices.
Despite its light frame (only 2,981 lines of code), the newly discovered malware packs a serious punch, considering that it hosts more than 30 vulnerability exploits for router and IOT devices. These include, but are not limited to:
- CVE-2020-10987– Tenda AC15 AC1900 version 15.03.05.19
- CVE-2020-9054– Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.2
- CVE-2020-9377– D-Link DIR-610
- CVE-2017-6077, CVE-2017-6334– NETGEAR DGN2200 devices with firmware through 10.0.0.50
- CVE-2018-10561, CVE-2018-10562– GPON home routers
Last but not least, the malware also has a low detection rate; at the time of the discovery, only three of 60 antivirus engines were reportedly able to detect new BotenaGo samples.