New GoLang-Based HinataBot Exploiting Router and Server Flaws for DDoS Attacks
A new Golang-based botnet dubbed HinataBot has been observed to leverage known flaws to compromise routers and servers and use them to stage distributed denial-of-service (DDoS) attacks.
"The malware binaries appear to have been named by the malware author after a character from the popular anime series, Naruto, with file name structures such as 'Hinata-<OS>-<Architecture>,'" Akamai said in a technical report.
Among the methods used to distribute the malware are the exploitation of exposed Hadoop YARN servers and security flaws in Realtek SDK devices (CVE-2014-8361)and Huawei HG532 routers (CVE-2017-17215, CVSS score: 8.8).
Unpatched vulnerabilities and weak credentials have been a low-hanging fruit for attackers, representing an easy, well-documented entry point that does not require sophisticated social engineering tactics or other methods.
The threat actors behind HinataBot are said to have been active since at least December 2022, with the attacks first attempting to use a generic Go-based Mirai variant before switching to their own custom malware starting from January 11, 2023.
Since then, newer artifacts have been detected in Akamai's HTTP and SSH honeypots as recently as this month, packing in more modular functionality and added security measures to resist analysis. This indicates that HinataBot is still in active development and evolving.
The malware, like other DDoS botnets of its kind, is capable of contacting a command-and-control (C2) server to listen for incoming instructions and initiate attacks against a target IP address for a specified duration.
"The current C2 is down, so we haven't been able to observe a real life attack as of yet," Allen West, security researcher at Akamai, told The Hacker News. "We are in the process of getting trackers hooked up, though, and will be monitoring for a change of C2 as well. If they become active again we will hopefully be able to observe closely."
While early versions of the botnet utilized protocols such as HTTP, UDP, TCP, and ICMP to carry out DDoS attacks, the latest iteration is limited to just HTTP and UDP. It's not immediately known why the other two protocols were axed.
Akamai, which conducted 10-second attack tests using HTTP and UDP, revealed that the HTTP flood generated 3.4 MB of packet capture data and pushed 20,430 HTTP requests. The UDP flood, on the other hand, created 6,733 packets for a total of 421 MB of packet capture data.
In a hypothetical real-world attack with 10,000 bots, a UDP flood would peak at more than 3.3 terabit per second (Tbps), resulting in a potent volumetric attack. An HTTP flood would generate a traffic of roughly 27 gigabit per second (Gbps)
The development makes it the latest to join the ever-growing list of emerging Go-based threats such as GoBruteforcer and KmsdBot.
"Go has been leveraged by attackers to reap the benefits of its high performance, ease of multi-threading, its multiple architecture and operating system cross-compilation support, but also likely because it adds complexity when compiled, increasing the difficulty of reverse engineering the resulting binaries," Akamai said.
The findings also come as Microsoft revealed that TCP attacks emerged as the most frequent form of DDoS attack encountered in 2022, accounting for 63% of all attack traffic, followed by UDP floods and amplification attacks (22%), and packet anomaly attacks (15%).
Besides being used as distractions to conceal extortion and data theft, DDoS attacks are also expected to rise due to the arrival of new malware strains that are capable of targeting IoT devices and taking over accounts to gain unauthorized access to resources.
"With DDoS attacks becoming more frequent, sophisticated, and inexpensive to launch, it's important for organizations of all sizes to be proactive, stay protected all year round, and develop a DDoS response strategy," the tech giant's Azure Network Security Team said.