[ad_1]
Govt abstract
AT&T Alien Labs™ has discovered new malware written within the open supply programming language Golang. Deployed with greater than 30 exploits, it has the potential of concentrating on thousands and thousands of routers and IoT units.
Key Takeaways:
- BotenaGo has greater than 30 totally different exploit capabilities to assault a goal.
- The malware creates a backdoor and waits to both obtain a goal to assault from a distant operator via port 19412 or from one other associated module working on the identical machine.
- It’s but unclear which menace actor is behind the malware and variety of contaminated units.
Background
Golang (also called Go) is an open-source programming language designed by Google and first printed in 2007 that makes it simpler for builders to construct software program.
In accordance with a current Intezer publish, the Go programming language has dramatically elevated in its recognition amongst malware authors in the previous couple of years. The website suggests there was a 2,000% enhance in malware code written in Go being discovered within the wild.
Among the causes for its rising recognition relate to the convenience of compiling the identical code for various programs, making it simpler for attackers to unfold malware on a number of working programs.
As of the publishing of this text, BotenaGo presently has low antivirus (AV) detection fee with solely 6/62 recognized AVs seen in VirusTotal: (Determine 1)
Determine 1. VirusTotal scanning outcomes of BotenaGo malware
Some AVs detect these new malware variants utilizing Go as Mirai malware — the payload hyperlinks do look related. Nonetheless, there’s a distinction between the Mirai malware and the brand new malware variants utilizing Go, together with variations within the language wherein it’s written and the malware architectures. Mirai is a botnet that initiates its communication with its command and management (C&C). It additionally has totally different DDoS performance. The brand new malware strains Alien Labs has found do not have the identical assault capabilities as Mirai malware, and the brand new strains solely look for weak programs to unfold its payload. As well as, Mirai makes use of a “XOR desk” to carry its strings and different knowledge, in addition to to decrypt them when wanted — this isn’t the case for the brand new malware utilizing Go. For that reason, Alien Labs believes this menace is new, and we’ve named it BotenaGo.
Evaluation
The BotenaGo malware begins by initializing world an infection counters that will likely be printed to the display, informing the hacker about whole profitable infections.(Determine 2)
Determine 2. BotenaGo execution output
It then seems for the ‘dlrs’ folder wherein to load shell scripts recordsdata. A loaded script will likely be concatenated as ‘echo -ne %s >> ‘. If the ‘dlrs’ folder is lacking, the malware will cease and exit at this level.
For the final and most essential preparation, the malware calls the perform ‘scannerInitExploits’, which initiates the malware assault floor by mapping all offensive capabilities with its related string that symbolize the focused system.
The malware maps every perform with a string that represents a possible focused system — akin to a signature, which we’ll clarify later on this weblog (see determine 3)
Determine 3. Mapping assault capabilities to related weak programs
Exploit supply
To ship its exploit, the malware first queries the goal with a easy “GET” request. It then searches the returned knowledge from the “GET” request with every system signature that was mapped to assault capabilities (as seen in determine 3).
Determine 4. Instance 1: Mapping perform to the related system string signature
The string “Server: Boa/0.93.15” is mapped to the perform “main_infectFunctionGponFiber,” (see determine 4) which makes an attempt to use a weak goal, permitting the attacker to execute an OS command through a selected internet request (CVE-2020-8958 as proven in determine 5).
Determine 5. Instance 1: main_infectFunctionGponFiber perform, exploits CVE-2020-8958
If we search the string “Server: Boa/0.93.15” in SHODAN, outcomes present nearly 2 million potential targets to this assault (see determine 6). Boa is a discontinued, open-source and small-footprint internet server which is generally appropriate for embedded functions.
Determine 6. Instance 1: Shodan search consequence for potential targets for particular perform
Let’s look on one other instance of a signature mapped to an assault perform. We searched the string “Fundamental realm=”Broadband Router”” which is mapped to the perform “m_infectFunctionComtrend” (see determine 7).
Determine 7. Instance 2: mapping perform to the related system string signature
A search on Shodan returns roughly 250,000 potential units that might be attacked by this perform ( see determine 8).
Determine 8. Instance 2: Shodan search consequence for string
The perform exploiting the vulnerability CVE-2020-10173 is proven in determine 9. In whole, the malware initiates 33 exploit capabilities which can be able to infect potential victims.
Determine 9. Instance 2: Operate exploiting vulnerability CVE-2020-10173
Receiving instructions from Command & Management
The malware can obtain instructions to focus on victims in two other ways:
- It creates two backdoor ports: 31412 and 19412. On port 19412 it should take heed to obtain the sufferer IP. As soon as a reference to data to that port is obtained, it should loop via mapped exploit capabilities and execute them with the given IP (see determine 10).
Determine 10. BotenaGo backdoor ports
2. The malware units a listener to system IO (terminal) consumer enter and might obtain a goal via it.
For instance, if the malware is working regionally on a digital machine, a command might be despatched via telnet. The goal in determine 11 is a pretend internet server Alien Labs arrange regionally.
Determine 11. Sending the malware a goal to assault
Utilizing this data, we are able to see the outcomes of a number of the assaults with Wireshark (see figures 12 and 13).
Determine 12. Malware communication as seen in Wireshark
Determine 13. Malware communication as seen in Wireshark
The brand new BotenaGo malware exploits greater than 30 vulnerabilities. Beneath, Alien Labs has listed a number of the CVE numbers of vulnerabilities that may be exploited. As well as, a number of the vulnerabilities have been disclosed with out CVE.
|
Vulnerability |
Affected units |
|
CVE-2020-8515 |
DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta units |
|
CVE-2015-2051 |
D-Hyperlink DIR-645 Wired/Wi-fi Router Rev. Ax with firmware 1.04b12 and earlier |
|
CVE-2016-1555 |
Netgear WN604 earlier than 3.3.3 and WN802Tv2, WNAP210v2, WNAP320, WNDAP350, WNDAP360, and WNDAP660 earlier than 3.5.5.0 |
|
CVE-2017-6077 |
NETGEAR DGN2200 units with firmware via 10.0.0.50 |
|
CVE-2016-6277 |
NETGEAR R6250 earlier than 1.0.4.6.Beta, R6400 earlier than 1.0.1.18.Beta, R6700 earlier than 1.0.1.14.Beta, R6900, R7000 earlier than 1.0.7.6.Beta, R7100LG earlier than 1.0.0.28.Beta, R7300DST earlier than 1.0.0.46.Beta, R7900 earlier than 1.0.1.8.Beta, R8000 earlier than 1.0.3.26.Beta, D6220, D6400, D7000 |
|
CVE-2018-10561, CVE-2018-10562 |
GPON dwelling routers |
|
CVE-2013-3307 |
Linksys X3000 1.0.03 construct 001 |
|
CVE-2020-9377 |
D-Hyperlink DIR-610 |
|
CVE-2016-11021 |
D-Hyperlink DCS-930L units earlier than 2.12 |
|
CVE-2018-10088 |
XiongMai uc-httpd 1.0.0 |
|
CVE-2020-10173 |
Comtrend VR-3033 DE11-416SSG-C01_R02.A2pvI042j1.d26m |
|
CVE-2013-5223 |
D-Hyperlink DSL-2760U Gateway |
|
CVE-2020-8958 |
Guangzhou 1GE ONU V2801RW 1.9.1-181203 via 2.9.0-181024 and V2804RGW 1.9.1-181203 via 2.9.0-181024 |
|
CVE-2019-19824 |
TOTOLINK Realtek SDK based mostly routers, this impacts A3002RU via 2.0.0, A702R via 2.1.3, N301RT via 2.1.6, N302R via 3.4.0, N300RT via 3.4.0, N200RE via 4.0.0, N150RT via 3.4.0, and N100RE via 3.4.0. |
|
CVE-2020-10987 |
Tenda AC15 AC1900 model 15.03.05.19 |
|
CVE-2020-9054 |
A number of ZyXEL network-attached storage (NAS) units working firmware model 5.2, Affected merchandise embrace: NAS326 earlier than firmware V5.21(AAZF.7)C0 NAS520 earlier than firmware V5.21(AASZ.3)C0 NAS540 earlier than firmware V5.21(AATB.4)C0 NAS542 earlier than firmware V5.21(ABAG.4)C0 ZyXEL has made firmware updates accessible for NAS326, NAS520, NAS540, and NAS542 units. Affected fashions which can be end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2 |
|
CVE-2017-18368 |
ZyXEL P660HN-T1A v1 TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31 router distributed by TrueOnline |
|
CVE-2014-2321 |
ZTE F460 and F660 cable modems |
|
CVE-2017-6334 |
NETGEAR DGN2200 units with firmware via 10.0.0.50 |
The payload
As payload, BotenaGo will execute distant shell instructions on units wherein the vulnerability has been efficiently exploited. Relying on the contaminated system, the malware makes use of totally different hyperlinks, every with a distinct payload. At time of research, all of the payloads had been faraway from the hosted servers by the attacker(s), and so Alien Labs couldn’t analyze any of them.
BotenaGo doesn’t have any lively communication to its C&C, which raises the query: how does it function? Alien Labs has just a few theories on how the malware is being operated and receives a goal to assault (the attacker might be utilizing one or a mixture of the actions under):
- The malware is a part of a “malware suite” and BotenaGo is just one module of an infection in an assault. On this case, there needs to be one other module both working BotenaGo (by sending targets) or simply updating the C&C with a brand new sufferer’s IP.
- The hyperlinks used for the payload on a profitable assault indicate a reference to Mirai malware. It might be the BotenaGo is a brand new instrument utilized by Mirai operators on particular machines which can be recognized to them, with the attacker(s) working the contaminated end-point with targets.
- This malware remains to be in beta section and has been accidently leaked.
Beneficial actions
- Keep your software program with the most recent safety updates.
- Guarantee minimal publicity to the Web on Linux servers and IoT units and use a correctly configured firewall.
- Monitor community site visitors, outbound port scans, and unreasonable bandwidth utilization.
Conclusion
Malware authors proceed to create new strategies for writing malware and upgrading its capabilities. On this case, new malware writing in Golang (which Alien Labs has named BotenaGo) can run as a botnet on totally different OS platforms with small modifications.
Detection strategies
The next related detection strategies are in use by Alien Labs. They can be utilized by readers to tune or deploy detections in their very own environments or for aiding further analysis.
|
SURICATA IDS SIGNATURES |
|
4001488: AV TROJAN Mirai Outbound Exploit Scan, D-Hyperlink HNAP RCE (CVE-2015-2051) |
|
4000456: AV EXPLOIT Netgear Machine RCE (CVE-2016-1555) |
|
4000898: AV EXPLOIT Netgear DGN2200 ping.cgi – Attainable Command Injection ( CVE-2017-6077 ) |
|
2027093: ET EXPLOIT Attainable Netgear DGN2200 RCE (CVE-2017-6077) |
|
2027881: ET EXPLOIT NETGEAR R7000/R6400 – Command Injection Inbound (CVE-2019-6277) |
|
2027882: ET EXPLOIT NETGEAR R7000/R6400 – Command Injection Outbound (CVE-2019-6277) |
|
2830690: ETPRO EXPLOIT GPON Authentication Bypass Try (CVE-2018-10561) |
|
2027063: ET EXPLOIT Outbound GPON Authentication Bypass Try (CVE-2018-10561) |
|
2830690: ETPRO EXPLOIT GPON Authentication Bypass Try (CVE-2018-10561) |
|
2027063: ET EXPLOIT Outbound GPON Authentication Bypass Try (CVE-2018-10561) |
|
2831296: ETPRO EXPLOIT XiongMai uc-httpd RCE (CVE-2018-10088) |
|
4001914: AV EXPLOIT DrayTek Unauthenticated root RCE (CVE-2020-8515) |
|
2029804: ET EXPLOIT A number of DrayTek Merchandise Pre-authentication Distant RCE Outbound (CVE-2020-8515) M1 |
|
2029805: ET EXPLOIT A number of DrayTek Merchandise Pre-authentication Distant RCE Inbound (CVE-2020-8515) M1 |
|
2029806: ET EXPLOIT A number of DrayTek Merchandise Pre-authentication Distant RCE Outbound (CVE-2020-8515) M2 |
|
2029807: ET EXPLOIT A number of DrayTek Merchandise Pre-authentication Distant RCE Inbound (CVE-2020-8515) M2 |
|
4002119: AV EXPLOIT Comtrend Router ping.cgi RCE (CVE-2020-10173) |
|
2030502: ET EXPLOIT Attainable Authenticated Command Injection Inbound – Comtrend VR-3033 (CVE-2020-10173) |
|
4001814: AV EXPLOIT TOTOLINK Router PostAuth RCE (CVE-2019-19824) |
|
2029616: ET EXPLOIT Zyxel NAS RCE Try Inbound (CVE-2020-9054) M1 |
|
2029617: ET EXPLOIT Zyxel NAS RCE Try Inbound (CVE-2020-9054) M2 |
|
4001142: AV EXPLOIT ManagedITSync – Kaseya exploitation (CVE-2017-18362) v1 |
|
4001143: AV EXPLOIT ManagedITSync – Kaseya exploitation (CVE-2017-18362) v2 |
|
2032077: ET EXPLOIT ZTE Cable Modem RCE Try (CVE-2014-2321) |
|
4000897: AV EXPLOIT Netgear DGN2200 dnslookup.cgi Lookup – Attainable Command Injection (CVE-2017-6334) |
|
2027094: ET EXPLOIT Attainable Netgear DGN2200 RCE (CVE-2017-6334) |
Related indicators (IOCs)
The next technical indicators are related to the reported intelligence. A listing of indicators can be accessible within the OTX Pulse. Please observe, the heartbeat could embrace different actions associated however out of the scope of the report.
|
TYPE |
INDICATOR |
DESCRIPTION |
|
SHA256 |
0c395715bfeb8f89959be721cd2f614d2edb260614d5a21e90cc4c142f5d83ad |
BotenaGo malware hash |
|
URL |
http://107[.]172.30.215/shell/wget.sh |
Malware payload obtain hyperlink |
|
URL |
http://rippr[.]cc/u
|
Malware payload obtain hyperlink |
|
URL |
http://107[.]172.30.215/b |
Malware payload obtain hyperlink |
|
URL |
http://37[.]0.11.220/g+-O- |
Malware payload obtain hyperlink |
|
URL |
http://107[.]172.30.215/l |
Malware payload obtain hyperlink |
|
URL |
http://107[.]172.30.215/a/wget.sh |
Malware payload obtain hyperlink |
|
URL |
http://107[.]172.30.215/multi/wget.sh |
Malware payload obtain hyperlink |
|
URL |
http://107[.]172.30.215/arm/arm5/arm7/i586/i686/m68k/mips/mipsel/powerpc/sh4/sparc/x86_64bot.mips |
Malware payload obtain hyperlink |
|
URL |
http://107[.]172.30.215/arm/arm5/arm7/i586/i686/m68k/mips/mipsel/powerpc/sh4/sparc/x86_64bot.arm7 |
Malware payload obtain hyperlink |
|
URL |
http://37[.]0.11.220/a/wget.sh |
Malware payload obtain hyperlink |
Mapped to MITRE ATT&CK
The findings of this report are mapped to the next MITRE ATT&CK Matrix strategies:
- TA0008: Lateral Motion
- T1210: Exploitation of Distant Companies
- T1570: Lateral Software Switch
- TA0011: Command and Management
[ad_2]
