Akamai researchers have released a report detailing a new Go-based malware they dubbed ‘HinataBot’ that is focused on distributed-denial-of-service (DDoS) attacks.
The new botnet was first spotted in January 2023 in HTTP and SSH honeypots abusing old vulnerabilities and weak credentials. The researchers noted that the threat actors behind HinataBot have been active since at least December 2022, with the attacks first attempting to use a generic Go-based Mirai variant. In mid-January 2023, they began developing their own malware and are actively continuing to upgrade it.
Infection attempts observed by Akamai include exploitation of the miniigd SOAP service on Realtek SDK devices (CVE-2014-8361), Huawei HG532 routers (CVE-2017-17215), and exposed Hadoop YARN servers (CVE N/A) with weak credentials.
HinataBot is capable of contacting a command-and-control (C&C) server to listen for incoming instructions and initiate attacks against a target IP address for a specified duration.
“HinataBot employs various methods of communication, including both dialing out and listening for incoming connections, and has been observed with distributed denial-of-service (DDoS) flooding attacks that utilize protocols such as HTTP, UDP, TCP, and ICMP to send traffic. However, in the latest version, HinataBot has narrowed down its attack methods to only HTTP and UDP attacks,” the researchers said.
“HinataBot is the latest example of the evolving threat landscape, particularly in relation to botnets. Malware authors are continuing to innovate their use of implementation methods, languages, and distribution methods. By leaning on older, proven techniques, such as those used within Mirai, attackers can focus more on curating pieces that evade detection, continuously evolve, and add new functionality,” Akamai notes. “HinataBot is the latest example of the evolving threat landscape, particularly in relation to botnets. Malware authors are continuing to innovate their use of implementation methods, languages, and distribution methods. By leaning on older, proven techniques, such as those used within Mirai, attackers can focus more on curating pieces that evade detection, continuously evolve, and add new functionality.”