IoT devices and routers at risk due to BotenaGo malware

In November 2021, AT&T's cybersecurity team, Alien Labs, published a report on an emerging malware variant they dubbed BotenaGo. In January 2022, the authors of BotenaGo uploaded its source code to GitHub, allowing anyone to use it as an exploit kit or develop new variants to deploy. Cybersecurity experts now fear that a new wave of attacks is on the horizon, potentially impacting millions of IoT devices and routers. But what is BotenaGo, how does it work and how can IT and cybersecurity teams protect their organizations?

What is BotenaGo?
BotenaGo is a type of malware written in Golang, also known as Go, hence the name. Google originally designed this open-source programming language to make software development easier. While it's been around since 2007, malware authors have increasingly adopted this language in recent years, causing a 2,000% increase in malware written in Go. This, in part, is because Go makes it easy to compile the same code for different operating systems, enabling hackers to spread malware to a variety of computers more efficiently.

As if it weren't bad enough already, the malware also has a low antivirus detection rate. At the time of BotenaGo's discovery, Alien Labs reported that only six out of 62 antivirus programs detected the malicious software. According to their most recent update, VirusTotal scanning results indicate this rate to be 3/60. BotenaGo's ability to evade detection is incredibly concerning, especially as new variants emerge in the coming months.

What this means for IoT devices and routers
The authors behind BotenaGo have included 33 different functions to attack their targets. Due to this array of exploits and the ability to impact multiple operating systems, BotenaGo has the potential to target millions of IoT devices and routers for organizations and individuals alike.


Initial event
As mentioned previously, AT&T's Alien Labs discovered BotenaGo back in early November 2021, putting cybersecurity teams on edge. They found that the malware authors used it to scan the web for vulnerable targets, keeping a live counter of the number of infected devices globally. At any point, the attackers could use BotenaGo to execute remote shell commands on vulnerable internet-facing devices, gaining complete control, much like the Log4Shell exploit. These endpoints can also act as gateways to wider networks that are left unsecured, allowing hackers to broaden the scope and impact of their attack.

BotenaGo source code uploaded to GitHub
On Jan. 26, 2022, Alien Labs published an update on BotenaGo. Apparently, the source code for the malware tool had been publicly available since Oct. 16, 2021, when its authors published it to GitHub. In addition to BotenaGo's source code, they also released a variety of supported tools for hackers. This means that anyone can deploy, modify and develop new variants of the malicious tool to use in their own attack campaigns.

Looking at the source code for BotenaGo, the researchers found that it consists of 2,891 lines of "simple yet efficient" code, with everything one might need to carry out a malware attack. This includes a reverse shell and telnet loader, which creates a backdoor to receive commands from C&C servers, and automatic configuration for 33 exploits. These features allow hackers to know which targets are vulnerable and infect them with specific payloads based on their operating system.

Mirroring the Mirai botnet
While they don't share the same attack functions, BotenaGo is still eerily similar to the infamous Mirai botnet malware. Like BotenaGo, Mirai botnets primarily target routers and IoT devices. Some antivirus software even detects the new Go variant as Mirai due to similar payload links and the ability to spread Mirai botnet malware. This has led Alien Labs researchers to hypothesize that BotenaGo is a new tool from the same authors as Mirai. And with the release of BotenaGo's source code, Alien Labs predicts a matching trajectory.

Back in 2016, Mirai's source code was also leaked online and later published to GitHub. Due to this release, Mirai saw a dramatic rise in popularity, with multiple variants emerging from the same source code with unique functionalities. And it looks like BotenaGo won't be too different. Alien Labs believes there is significant potential for an increase in these malware variants in the coming months as malicious actors use and alter BotenaGo's source code, creating new families of malware.

Mitigation steps
Alien Labs recommends three steps for mitigating the risks of a BotenaGo attack:

  1. Properly configure your firewall, and minimize internet exposure on Linux servers and IoT devices.
  2. Install and update security and firmware upgrades as soon as possible
  3. Monitor your systems for suspicious activity and unnecessary open ports.

As new cybersecurity threats emerge, organizations should prioritize protecting themselves from would-be hackers. Inventu offers a powerful terminal emulation tool that can boost your business's cybersecurity.

Here at the Inventu Corporation, we equip organizations of all sizes with a revolutionary web terminal emulation tool called Inventu Viewer+, a high-performance emulation solution that is built with C at its core. Inventu Viewer+ supports SAML 2.0 and other identity technologies to enable securing your critical mainframe applications. This allows the deployment of reliable and safe software using clean HTML and JavaScript hosted on secure Windows servers. All in all, the Inventu Viewer+ web terminal emulation meets employer and staff expectations in a way that feels both familiar and simple. Contact us today and see how Inventu can help you integrate your active terminal emulation with the best web identity frameworks available.