Go-based HinataBot latest botnet to focus on DDoS attacks
A new Go-based malware is the latest botnet focused on distributed denial of service (DDoS) attacks.
The malware is apparently named “Hinata” by the malware author, after a character from the popular anime series Naruto.
In a blog post Thursday, Akamai researchers dubbed the new botnet HinataBot. The researchers said the threat actors behind HinataBot have been active since at least December 2022, but only started developing their own malware in mid-January 2023.
A sample of the malware was discovered in HTTP and SSH honeypots that abuse weak credentials and old remote code execution vulnerabilities – one dating back almost a decade. The Akamai researchers said that the infection attempts they observed involved exploiting the minigd SOAP service on Realtek SDK devices (CVE-2014-8361), Huawei HG532 routers (CVE-2017-17215), and exposed Hadoop YARN servers (CVE N/A ).
When asked where the attacks were aimed, Allen West, a security researcher at Akamai, said they have not observed any attacks that weren’t aimed at themselves.
“Once the C2 is up and running again, we’ll have a clearer picture of it,” West said. “As for machines to be infected, we can only point to the technologies that contain the vulnerabilities that we have seen exploited.”
“Once again we see that there is so much on the internet, largely because people are deploying services and forgetting to manage the infrastructure,” said John Bambenek, chief threat hunter at Netenrich. In this case, we saw exploitation of a nearly 10-year-old vulnerability, Bambenek said.
“Attackers continue to find these resources and then use them to launch further attacks on other organizations,” Bambenek said. “A new DDoS botnet simply means more resources used by criminals to attempt to take services offline. Therefore, leveraging DDoS protection services remains important as it is only a growing attack, especially in times of geopolitical and economic turmoil.”
Mike Parkin, senior technical engineer at Vulcan Cyber, added that malware writers doing more work in the Go language is a case for “picking the right tool for the job”.
“Go has gained notoriety primarily for its ability to cross-compile for different architectures and its ease of use, which makes it attractive to threat actors,” said Parkin. “Regardless of what language malware is written in, threat actors still need to land their payload. The language chosen may provide an attacker with more options, but properly configured and maintained mitigations will still reduce an organization’s attack surface.”