A new Go-based botnet called HinataBot (named after a character from the popular anime series called Naruto) has surfaced on the threat landscape. It was first discovered in January in HTTP and SSH honeypots abusing old vulnerabilities and weak credentials.
Introduction to HinataBot
According to Akamai’s SIRT team, the botnet exploited arbitrary code execution flaws in miniigd SOAP service in Realtek SDK (CVE-2014-8361) and Huawei HG532 routers (CVE-2017-17215) to spread its infection.
Additionally, exposed Hadoop YARN servers with weak credentials were also abused by the botnet to launch attacks.
Coming to its capabilities, HinataBot utilizes protocols such as HTTP, UDP, TCP, and ICMP to send traffic during DDoS attacks.
However, in the latest version, the authors have narrowed down to using only HTTP and UDP for attacks.
Mirai influence
The threat actors behind HinataBot were originally distributing Mirai binaries before they began developing their own botnet in mid-January.
Based on observations, researchers claim that the new botnet is the Golang version of Mirai and appears to follow some processes and attack methods from the latter.
One of these similarities includes the way HinataBot sets up communication and the way it parses commands to launch attacks.
As it is still in the development stage, it’s difficult to predict the future attack scope of HinataBot.
Go-based botnets on a rise
In the last couple of years, cybercriminals have increasingly shown their interest in Golang due to its high performance, ease of multi-threading, and cross-compilation support.
Last week, a botnet named GoBruteforcer was spotted scanning and infecting popular web servers to launch targeted attacks. It is specifically designed to target web servers running phpMyAdmin, MySQL, FTP, and Postgres services.
A multi-purpose Go-based botnet called Chaos became a matter of security concern as it expanded its cryptomining and DDoS attacks to target Windows and Linux devices across Europe.
In another instance, a new GoTrim botnet was spotted scanning and brute-forcing websites using the WordPress CMS to launch DDoS attacks.
Conclusion
HinataBot is the latest in the ever-growing list of emerging Go-based threats. By leaning on older and proven techniques, such as those used by Mirai, the attackers plan to focus on upgrading the evasion techniques of the botnet. While HinataBot is continuously being monitored, organizations are advised to update the firmware of the affected products. They can also leverage the IOCs to understand the current attack patterns of the attackers.