New GoLang-Based HinataBot Exploiting Router and Server Flaws for DDoS Attacks

Mar 17, 2023Ravie LakshmananCybersecurity / Botnet

A new Golang-based botnet dubbed HinataBot has
been observed to leverage known flaws to compromise routers and
servers and use them to stage distributed denial-of-service (DDoS)
attacks.

“The malware binaries appear to have been named by the malware
author after a character from the popular anime series, Naruto,
with file name structures such as
‘Hinata-<OS>-<Architecture>,'” Akamai said^[1]
in a technical report.

Among the methods used to distribute the malware are the
exploitation of exposed Hadoop YARN servers and security flaws in
Realtek SDK devices (CVE-2014-8361^[2]), Huawei HG532 routers
(CVE-2017-17215^[3], CVSS score: 8.8).

Unpatched vulnerabilities and weak credentials have been a
low-hanging fruit for attackers, representing an easy,
well-documented entry point that does not require sophisticated
social engineering tactics or other methods.

The threat actors behind HinataBot are said to have been active
since at least December 2022, with the attacks first attempting to
use a generic Go-based Mirai variant^[4]
before switching to their own custom malware starting from January
11, 2023.

Since then, newer artifacts have been detected in Akamai’s HTTP
and SSH honeypots as recently as this month, packing in more
modular functionality and added security measures to resist
analysis. This indicates that HinataBot is still in active
development and evolving.

The malware, like other DDoS botnets of its kind, is capable of
contacting a command-and-control (C2) server to listen for incoming
instructions and initiate attacks against a target IP address for a
specified duration.

While early versions of the botnet utilized protocols such as
HTTP, UDP, TCP, and ICMP to carry out DDoS attacks, the latest
iteration is limited to just HTTP and UDP. It’s not immediately
known why the other two protocols were axed.

Akamai, which conducted 10-second attack tests using HTTP and
UDP, revealed that the HTTP flood generated 3.4 MB of packet
capture data and pushed 20,430 HTTP requests. The UDP flood, on the
other hand, created 6,733 packets for a total of 421 MB of packet
capture data.

In a hypothetical real-world attack with 10,000 bots, a UDP
flood would peak at more than 3.3 terabit per second (Tbps),
resulting in a potent volumetric attack. An HTTP flood would
generate a traffic of roughly 27 gigabit per second (Gbps)

The development makes it the latest to join the ever-growing
list of emerging Go-based threats such as GoBruteforcer^[5]
and KmsdBot^[6].

“Go has been leveraged by attackers to reap the benefits of its
high performance, ease of multi-threading, its multiple
architecture and operating system cross-compilation support, but
also likely because it adds complexity when compiled, increasing
the difficulty of reverse engineering the resulting binaries,”
Akamai said.

The findings also come as Microsoft revealed that TCP attacks
emerged as the most frequent form of DDoS attack encountered in
2022, accounting for 63% of all attack traffic, followed by UDP
floods and amplification attacks (22%), and packet anomaly attacks
(15%).

Besides being used as distractions to conceal extortion and data
theft, DDoS attacks are also expected to rise due to the arrival of
new malware strains that are capable of targeting IoT devices and
taking over accounts to gain unauthorized access to resources.

“With DDoS attacks becoming more frequent, sophisticated, and
inexpensive to launch, it’s important for organizations of all
sizes to be proactive, stay protected all year round, and develop a
DDoS response strategy,” the tech giant’s Azure Network Security
Team said^[8].