Researchers at AT&T Alien Labs said they have found new malware written in the open source programming language Golang. Deployed with more than 30 exploits, it has the potential of targeting millions of routers and IoT devices.
Golang (also known as Go) is an open-source programming language designed by Google and first published in 2007 that makes it easier for developers to build software.
According to a recent Intezer post, the Go programming language has dramatically increased in its popularity among malware authors in the last few years. The site suggests there has been a 2,000% increase in malware code written in Go being found in the wild.
Some of the reasons for its rising popularity relate to the ease of compiling the same code for different systems, making it easier for attackers to spread malware on multiple operating systems.
BotenaGo currently has low antivirus (AV) detection rate with only 6/62 known AVs seen in VirusTotal. Some AVs detect these new malware variants using Go as Mirai malware — the payload links do look similar.
The new BotenaGo malware exploits more than 30 vulnerabilities. It affects variety of routers, modems, and NAS devices. The malware creates a backdoor and waits to either receive a target to attack from a remote operator through port 19412 or from another related module running on the same machine.It is yet unclear which threat actor is behind the malware and number of infected devices.
But researchers say, BotenaGo does not have any active communication to its C&C, suggesting three ways it may operate.
The malware is part of a “malware suite” and BotenaGo is only one module of infection in an attack. In this case, there should be another module either operating BotenaGo (by sending targets) or just updating the C&C with a new victim’s IP.
The links used for the payload on a successful attack imply a connection with Mirai malware. It could be the BotenaGo is a new tool used by Mirai operators on specific machines that are known to them, with the attacker(s) operating the infected end-point with targets.
This malware is still in beta phase and has been accidently leaked.
Maintaining software with the latest security updates, ensuring minimal exposure to the Internet on Linux servers and IoT devices and using a properly configured firewall and monitoring network traffic, outbound port scans, and unreasonable bandwidth usage are some of the potential recommendations suggested by the team.