IoT Device with Malware!

    THREAT HUNTER (GUARD YOUR DEVICE)

Threat News #0002

January 28, 2022

---

Name Threat : BotenaGo Malware

Affected System : Linksys, D-Link, Netgear, and ZTE.

Attack Vector         : Exploit the Vulnerability

Threat Detail

The researcher who discovered a deadly malware sample that targets millions of routers and Internet of Things (IoT) devices has released the source code to GitHub, allowing other crooks to swiftly create new versions or use the tool as is in their own attack campaigns. Last November, researchers discovered the spyware, which they termed "BotenaGo." The malware is written in Go, a popular programming language among malware makers. It includes exploits for over 30 different vulnerabilities in a variety of companies' products, including Linksys, D-Link, Netgear, and ZTE.

BotenaGo is meant to run remote shell commands on systems when a vulnerability has been successfully exploited. BotenaGo has two separate mechanisms to get commands for targeting victims, according to an analysis conducted by Alien Labs last year when the virus was initially discovered. One entailed setting a listener to system I/O user input and getting target information through it, while the other involved setting two backdoor ports for listening to and receiving the IP addresses of target devices. BotenaGo is a little malware with only 2,891 lines of code, making it a decent starting point for various additional variations. Another feature that malware authors are likely to find intriguing is that it includes exploits for more than 30 vulnerabilities in a variety of routers and IoT devices. CVE-2015-2051 in certain D-Link wireless routers, CVE-2016-1555 in Netgear products, CVE-2013-3307 in Linksys devices, and CVE-2014-2321 in certain ZTE cable modem models are among the many flaws BotenaGo can attack.

Suggestion

• Install an antivirus, and keep it up-to-date and running.
• Install a multilayered protection system to detect, prevent, and resolve malware infections and attacks.
• Keep all operating systems and software up-to-date with the latest patches from legitimate vendors.

Imprint

• Allows the malware to execute remote shell commands on systems.
• Allow the suspicious activity to steal data from devices.

Indicator of Compromised (IOC)ip

IP:

86[.]110.32.167 179[.]43.187.197 2[.]56.56.78 209[.]141.59.56

HashFile :

SHA 1

cca00b32d610becf3c5ae9e99ce86a320d5dac87

eb6bbfe8d2860f1ee1b269157d00bfa0c0808932

01dc59199691ce32fd9ae77e90dad70647337c25

97d5d30a4591df308fd62fa7ffd30ff4e7e4fab9

e9aa2ce4923dd9e68b796b914a12ef298bff7fe9

251b02ea2a61b3e167253546f01f37b837ad8cda

fa10e8b6047fa309a73d99ec139627fd6e1debe1

154fc9ea3b0156fbcdcb6e7f5ba849c544a4adfd

0c9ddad09cf02c72435a76066de1b85a2f5cf479

b4af080ad590470eefaadc41f777a2d196c5b0ba

87ef2fd66fdce6f6dcf3f96a7146f44836c7215d

3c2f4fcd66ca59568f89eb9300bb3aa528015e1c

References:

Millions of Routers, IoT Devices at Risk as Malware Source Code Surfaces on GitHub (darkreading.com)

BotenaGo strikes again - malware source code uploaded to GitHub | AT&T Alien Labs (att.com)

---

© SAS Threat Hunter 

Direct to sasmoza.enterprise Sdn. Bhd for Subscribing News