New Golang malware (BotenaGo) targeting millions of routers and IoT devices

The BotenaGo malware starts by initializing global infection counters that will be printed to the screen, informing the hacker about total successful infections.

It then looks for the 'dlrs' folder to load shell script files. A loaded script is concatenated as 'echo -ne %s >> '. If the 'dlrs' folder is missing, the malware stops and exits.

Preparing for the Attack

The malware calls the function 'scannerInitExploits', which maps all offensive functions to their relevant string signatures, representing the targeted system.

Exploit Delivery and Execution

To deliver its exploit, the malware follows this process:

1. Queries the target with a simple "GET" request.
2. Searches the returned data for system signatures mapped to attack functions.

Examples of Targeted Systems

• "Server: Boa/0.93.15" → Mapped to "main_infectFunctionGponFiber" (CVE-2020-8958), allowing OS command execution. A Shodan search reveals nearly 2 million potential targets.

• "Basic realm="Broadband Router"" → Mapped to "m_infectFunctionComtrend" (CVE-2020-10173).A Shodan search returns approximately 250,000 vulnerable devices.

Malware Capabilities: 33 Exploit Functions

The BotenaGo malware contains 33 exploit functions, each designed to infect potential victims.

Command and Control (C2) Communication

BotenaGo can receive target commands in two ways:

1. Backdoor Ports (31412 and 19412)
   Port 19412 listens for victim IPs. Once a connection is established, BotenaGo loops through mapped exploit functions and executes them.
2. System IO (Terminal) User Input
   The malware can receive commands locally via telnet when running in a virtual machine.

BotenaGo’s Exploitation of Vulnerabilities

BotenaGo exploits 30+ vulnerabilities, executing remote shell commands on infected devices. Depending on the system, the malware selects different payload links.

Lack of Active C2 Communication: How Does It Operate?

Despite its capabilities, BotenaGo does not have active communication with a C2 server, raising questions about its operation. Analysts have three theories:

Still in Beta Phase – The malware may have leaked accidentally, explaining the missing payloads.

Part of a Malware Suite – BotenaGo could be one module of a larger attack framework, receiving targets from another module.

Linked to Mirai Malware – The payload links suggest a connection to Mirai, possibly as a new tool for known infected machines.