Flash Notice - BotenaGo Botnet Could Affect Millions of Routers & IoT Devices

November 17, 2021

Overview of botenago

A new botnet named BotenaGo has been seen in the wild targeting a number of IoT devices and routers. AT&T’s Alien Labs published a report about the recently discovered malware and stated that it can exploit up to 30 different vulnerabilities against its targets. BotenaGo is written in the open-source programming language Golang - a programming language designed by Google with networking in mind.

Researchers are not sure who is behind the exploit, but the malware-scanning tool, Shodan, showed that BotenaGo could be a modified version of a malware botnet called Mirai. Mirai was last used in 2016 to carry out DDoS attacks. Despite the malware scan, AT&T Alien Labs doesn’t believe that Mirai and BotenaGo are one in the same. The two malware don’t have the same attack functions, but it’s possible that they were designed to work together.

BotenaGo is capable of creating botnets that function across a variety of device types, gaining access to networks and allowing hackers to carry out DDoS attacks. Additionally, the malware creates a backdoor and waits to receive a target to attack through port 19412 or from another related module running on the same machine The Botnet exploits devices with flaws related to the following CVEs:

CVE-2015-2051, CVE-2020-9377, CVE-2016-11021: D-Link routers
CVE-2016-1555, CVE-2017-6077, CVE-2016-6277, CVE-2017-6334: Netgear devices
CVE-2019-19824: Realtek SDK based routers
CVE-2017-18368, CVE-2020-9054: Zyxel routers and NAS devices
CVE-2020-10987: Tenda products
CVE-2014-2321: ZTE modems
CVE-2020-8958: Guangzhou 1GE ONU

Although BotenaGo is still in the beta phase and has been accidentally leaked, any botnet with this kind of potential is particularly concerning for the health care industry and other industries. Researchers are not sure how many devices BotenaGo has infected or how widespread the malware has become. Considering hospitals and other medical facilities run their daily operations using IoT devices, it’s always a good idea to be vigilant with addressing exploits like BotenaGo before they get a chance to infect systems and devices.

How Avertium is Protecting Our Clients

Increasing visibility within your environment is crucial when trying to prevent or mitigate a potential attack from botnets like BotenaGo. Avertium offers EDR endpoint protection through SentinelOne, Sophos, and Microsoft Defender.
- SentinelOne prevents threats and extends protection from the endpoint to beyond. Find threats and eliminate blind spots with autonomous, real time, index-free threat ingestion and analysis that supports structured, unstructured, and semi-structured data.
- Our partners, Microsoft and Sophos, also offer endpoint protection. Sophos can help secure your environment by protecting and prioritizing potential threats. Microsoft Defender provides real-time threat detection, as well as firewall and network protection. The program comes standard with Windows.

Avertium's recommendations

Patch all devices
Use stronger passwords
Monitor network traffic regularly
Provide training for IT staff on how to handle IoT medical devices

indicators of compromise (iocs):

0c395715bfeb8f89959be721cd2f614d2edb260614d5a21e90cc4c142f5d83ad
http://107[.]172.30.215/shell/wget.sh
http://rippr[.]cc/u
http://107[.]172.30.215/b
http://37[.]0.11.220/g+-O-
http://107[.]172.30.215/l
http://107[.]172.30.215/a/wget.sh
http://107[.]172.30.215/multi/wget.s
http://37[.]0.11.220/a/wget.sh
http://107[.]172.30.215/arm/arm5/arm7/i586/i686/m68k/mips/mipsel/powerpc/sh4/sparc/x86_64bot.arm7
http://107[.]172.30.215/arm/arm5/arm7/i586/i686/m68k/mips/mipsel/powerpc/sh4/sparc/x86_bot.mips