Millions of IoT Devices and Routers Exposed to BotenaGo Malware

A new strain of malware has been spotted and then dissected by security researchers. The new malware is named BotenaGo and targets Internet of Things devices - an ever-growing group of Internet-enabled technology that is showing up increasingly more often in homes.

Researchers working with AT&T Alien Labs published a research article on their blog, detailing how BotenaGo works. The malware targets as many as 30 different vulnerabilities found in IoT devices, all bundled in a convenient package for hackers to abuse.

Even though some anti-malware platforms detect the new malware as a variant of the infamous Mirai botnet that works with IoT devices as well, closer inspection shows this is not really the case. Unlike Mirai, BotenaGo is written and compiled in Google's Go - a programming language similar to C that has been around for over 10 years now but is slowly picking up in popularity and gaining traction in malware as well.

BotenaGo has a built-in scanner that provides its operators with a live count of infected and compromised devices. Abusing the vulnerabilities that the malware is targeting, threat actors and operators can run shell commands on infected devices remotely. This could be used as a stepping stone to gain access to the wider network in the environment of the specific IoT device in question.

The malware also provides the tools to upload malicious payloads, but during the analysis performed by AT&T, researchers found the servers intended for hosting those payloads were empty.

Despite the fact that given its capabilities and the exploits it is targeting, BotenaGo could be used to attack a potential pool of millions of devices, the malware's command and control servers were found idle, with no communication going on between infected devices and the hackers.

Whether this means BotenaGo has still not been brought online by the threat actors developing it or it is just a piece of a larger puzzle and a broader malware toolkit that is currently not being used is anyone's guess.

November 16, 2021