AT&T researchers have identified that BotenaGo targets 33 exploits found in several popular commercial modems, routers, and NAS devices. The targeted brands and exploits include D-Link routers (CVE-2015-2051), Netgear devices (CVE-2016-1555), Tenda products (CVE-2020-10987), and others.

How does it operate

Upon infection, the malware creates a backdoor on the targeted device. 
  • It would listen on two ports (31412 and 19412) and wait for instruction from the remote operator or from other related modules, which is usually some information about the target to attack.
  • When it receives the information about a target, it will exploit each vulnerability on that IP address to gain access. Upon successful attempt, it executes some remote commands and recruits the infected device into its army of bots.

Hard to detect

BotenaGo is written in Golang, which makes it harder to detect and reverse engineer. 
  • This malware was detected by only six out of 62 antivirus engines on VirusTotal.
  • Some of the AV engines flagged this malware as Mirai.

Additional insights

Researchers also indicated that they were not able to identify active C2 communication of the analyzed sample. Therefore, they suspect that this malware could be: 
  • a small modular component of some multi-stage malware, 
  • a new tool used by Mirai operators on certain systems, or 
  • it could be some leaked sample of unfinished malware.

Concluding notes

Although BotenaGo still seems to be under development, it can become a potent threat as it targets some of the most popular brands of modems, routers, and NAS devices available in the market. Moreover, since it is written in Golang, by making slight modifications, its operators could run this malware on different operating systems.

Cyware Publisher

Publisher

Cyware