The Akamai Security Intelligence Response Team (SIRT) recently reported the discovery of a newly developed Go-based botnet, named “HinataBot” by researchers. This botnet is focused on Distributed Denial of Service (DDoS) attacks and appears to have been named after a character from the popular anime series, Naruto, by the malware author.
CVE-2014-8361, CVE-2017-17215 Used in DDoS Attacks
Observed infection attempts involved exploiting the miniigd SOAP service on Realtek SDK devices (CVE-2014-8361), taking advantage of a vulnerability in Huawei HG532 routers (CVE-2017-17215), and targeting exposed Hadoop YARN servers (CVE not available).
It is noteworthy that the Huawei vulnerability, in particular, was used to built a botnet by a malware author known as Anarchy in 2018 that compromised more than 18,000 routers in a single day. According to security researchers, Anarchy may be the same hacker who previously used the Wicked nickname and who is behind some of Mirai’s variations (Wicked, Omni, and Owari).
A Look Into HinataBot
HinataBot, which essentially is a Go-based malware, was uncovered within HTTP and SSH honeypots. The malware is noteworthy due to its large size and the lack of specific identification around its newer hashes. The file name structures of the malware binaries were named after a character from the popular anime series, Naruto, such as “Hinata-
Due to its high performance, ease of multi-threading, and its ability to be cross-compiled for multiple architectures and operating systems, the prevalence of Go-based threats such as HinataBot, GoBruteForcer, and kmsdbot is increasing. Attackers may choose Go for its complexity when compiled, making it more challenging to reverse engineer the final binaries.
HinataBot has been designed to communicate via multiple methods, such as initiating and accepting incoming connections. In the past, it has been observed to conduct DDoS flooding attacks using protocols like HTTP, UDP, TCP, and ICMP. However, the latest version of HinataBot has limited its attack methods to only HTTP and UDP.
The emergence of HinataBot is a testament to the ever-shifting threat landscape, particularly with respect to botnets. Cybercriminals are consistently coming up with new ways to deploy malicious code, such as coding in different languages and leveraging different distribution networks. By borrowing from established tactics, like those employed by the infamous Mirai, attackers can focus on creating malware that is difficult to detect and capable of evolving over time while incorporating new features, the Akamai team concluded.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: