|
|
| |
| Home - Virus Alerts |  |
 |
VIRUS ALERTS
BotenaGo Malware
Original Issue Date:November 18, 2021
Virus Type: Backdoor/Malware Botnet
It has been reported that a newly surfaced malware written in Google's open-source programming language Golang, is targeting Linux-embedded routers and Internet of Things (IoT) devices through botnets. The malware is utilizing 33 different exploits to compromise routers and IoT devices. It works by creating a backdoor to the device and then waits to either receive a target to attack from a remote operator through port 19412 or from another related module running on the same machine.
Infection Mechanism:
The new Golang-based malware botnet incorporates more than 30 exploits for a variety of routers,modems, and Network-attached Storage (NAS) devices. As listed by Alien Labs, the vulnerabilities with CVE numbers, which can be exploited by new BotenaGo malware are listed below. In addition, some of the vulnerabilities have also been disclosed without CVE.
The malware botnet deploys a backdoor on the compromised device, and then waits for commands - either from a remote operator or a malicious module on the device - to initiate an attack.As part of a typical BotenaGo attack, the malware first maps potential targets to attack functions, then queries the target with a GET request, after which it searches the returned data, and only then it attempts to exploit the vulnerable target.
On a compromised device, the malware creates two backdoor ports: 31412 and 19412, and starts listening on port 19412 to receive the victim's IP. Then, it loops through mapped exploit functions to execute them with the supplied IP. Once BotenaGo gains access, it will execute remote shell commands to recruit the device into the botnet. Depending on which device is targeted, the malware uses different links to fetch a matching payload.
Indicators of Compromise
Hashes: - SHA256- 0c395715bfeb8f89959be721cd2f614d2edb260614d5a21e90cc4c142f5d83ad
Best practices and remedial measures: - It is recommended to keep the software up to date with latest security updates.
- Install the latest firmware and use a properly configured firewall.
- Ensure minimal exposure to the Internet on Linux servers and IoT devices.
- Monitor network traffic, outbound port scans, and unreasonable bandwidth usage.
- It is advised to carry out timely patching of internet-connected devices to avoid becoming a victim of BotenaGo or any other IoT botnets.
Additional measures for securing IOT devices: - Restrict Web Management Interface access of IoT devices to authorized users only and change default username/passwords
- Always change Default login credentials before deployment in production.
- Disable Universal Plug and Play (UPnP) on IoT devices unless absolutely required.
- Users should be aware of the installed devices and their capabilities. If a device comes with a default password or an open Wi-Fi connection, users should change the password and only allow it to operate on a home network with a secured Wi-Fi router.
- Control access to the devices with Access List
- Configure devices to "lock" or log out and require a user to re-authenticate if left unattended
- Identify systems with default passwords and implement above mentioned measures. Some the systems that need to examined are Routers, switches, web applications and administrative web interfaces, ICS systems, Telnet and SSH interfaces
- Implement account lockout policies to reduce the risk of brute forcing attacks.
- Telnet and SSH should be disabled on device if there is no requirement of remote management
- Configure VPN and SSH to access device if remote access is required.
- Configure certificate based authentication for telnet client for remote management of devices
- Implement Egress and Ingress filtering at router level.
- Report suspicious entries in Routers to your Internet Service Provider
Keep up to date Antivirus on the computer system Keep up-to-date on patches and fixes on the IoT devices, operating system and applications.Unnecessary port and services should be stopped and closed. Logging must be enabled on the device to log all the activities. Enable and monitor perimeter device logs to detect scan attempts towards critical devices/systems.
References for CVE:
References
https://www.csk.gov.in/alerts/mirai.html
https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-
targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits?
CJPID=6361382&EI=20130822074250E&CI=CJ_AFFINITY&RI=CJ1&RD=37922
https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-
targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits
https://www.bleepingcomputer.com/news/security/botenago-botnet-targets-millions-of-iot-devices-with-33
-exploits/
https://threatpost.com/routers-iot-open-source-malware/176270/
https://www.tomsguide.com/news/botenago-router-malware
https://www.securityweek.com/botenago-malware-targets-routers-iot-devices-over-30-exploits
|
Disclaimer
|
| |
The information provided herein is on "as is" basis, without warranty of any kind.
|
| |
|
Contact Information
|
| |
Email:info@cert-in.org.in
Phone: +91-11-22902657
|
| |
|
Postal Address
|
| |
| Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|
|
| |
| |
| |
|
| |
|