The cybersecurity arm of America AT&T, called the AT&T Alien Labs, has found a new malware that’s designed to affect Internet of Things (IoT) hardware. The malware is written using Google’s open-source programming language GoLang, and “has the potential of targeting millions of routers and IoT devices”. Alien Labs named the malware BotenaGo and noted that the threat actor(s) behind the malware and the total number of infected devices are unclear right now.
The firm also said that the malware has “low antivirus detection rate” at this point, with only six out of 62 security vendors who have flagged the malware. “Some AVs detect these new malware variants using Go as Mirai malware — the payload links do look similar. However, there is a difference between the Mirai malware and the new malware variants using Go, including differences in the language in which it is written and the malware architectures,” Alien Labs added in a blog post.
The firm also pointed out that some antivirus software recognized the malware as Mirai, which is a virus that affected many IoT devices back in 2016. According to web infrastructure and security provider, Cloudflare, the malware was created by 21-year-old Paras Jha and 22-year-old Josiah White who co-founded a firm called Protraf Solutions at the time. “Theirs was a classic case of racketeering: Their business offered Distributed Denial of Service (DDoS) mitigation services to the very organizations their malware attacked,” the company wrote in a blog.
Alien Labs noted that while the two malware do look similar, BotenaGo is distinct in the fact that it’s written using GoLang, and that it has different attack functions than Mirai. BotenaGo also doesn’t have DDoS functionality, which was a central element of Mirai. DDoS attacks disrupt a network by overloading them with fake traffic.
Attackers can also execute remote commands using BotenaGo, which can be used to gain access to wider networks through one device. “Depending on the infected system, the malware uses different links, each with a different payload. At time of analysis, all the payloads had been removed from the hosted servers by the attacker(s), and so Alien Labs could not analyze any of them,” the company said, while detailing a host of routers that have been affected by the malware so far. The names included devices from well-known firms like LinkSys and D-Link.
Alien Labs recommended that routers should be updated with the latest security updates in order to protect from BotenaGo. They also advised IT teams to ensure “minimal exposure to the Internet” for Linux servers and IoT devices.