GitHub is a platform used by millions of people to host and distribute their software projects. Unfortunately, it has also become a prime target for cybercriminals. Malware experts have reported that GitHub has become a haven for malicious actors. These criminals clone legitimate repositories and inject malicious code into them. Recently, the source code for BotenaGo malware was leaked on GitHub, potentially putting millions of Internet of Things (IoT) devices at risk.
BotenaGo
A malicious program written in Google’s Golang programming language poses a potential threat to millions of routers and IoT devices worldwide. Its source code was recently discovered on GitHub, meaning hackers can quickly adapt it and use it in their own malicious campaigns.
BotenaGo, first identified in November 2021 by AT&T Alien Labs researchers, is a backdoor that grants cybercriminals access to devices through 33 exploit functions. It can be deployed independently as an exploit kit or combined with other malware for attacks on targets, according to Ofer Caspi of Alien Labs.
Caspi described how the malware is programmed to search and attack vulnerable devices by scanning the internet for them, then sending them a list of mapped exploit functions. When it finds one, it creates two backdoor ports — 31412 and 19412 — which listen for victim IP addresses before looping through these functions and executing them with that address.
It also has a function that maps all devices on the target network, enabling it to send command terminal strings for malicious tools to each one. This means it can attack multiple targets simultaneously using shell script files – making detection by security experts difficult.
But Caspi expressed concern that attackers could potentially exploit Mirai’s source code to create new variants of the malware. This would likely prompt an uptick in Mirai-related attacks, which will be harder to prevent since its source code is now publicly accessible online.
Another pressing concern is that this malware may be connected to other Mirai malware, so people need to be aware of that. Malware authors are constantly evolving and new techniques can be adapted in order to target devices with enhanced capabilities.
To protect your IoT devices and routers, the best course of action is to keep them updated with firmware and patches, and restrict their exposure to the Internet. Doing this can reduce the number of vulnerabilities exploited by botnets like BotenaGo which have millions of routers and IoT devices on the attack surface.
Octopus Scanner
On March 9th 2020, GitHub Security Labs were alerted by an independent researcher about several GitHub repositories serving malware, likely unintentionally. A subsequent investigation uncovered that this malicious software, named Octopus Scanner, was designed to collect NetBeans projects by infecting their build process.
GitHub often deals with malicious users of its platform, but this attack was unique in that it not only targeted one project but an entire supply chain of 26 GitHub repositories.
The GitHub security team had to dissect the source code to determine which files the malware had infected and then take appropriate measures for containment. After weeks of hard work, they were ultimately successful in stopping its spread, as noted by their blog post.
Munoz noted that he wasn’t sure what the hackers were after in this instance, but it appears they wanted to infect build processes. “This strategy provides attackers with an effective means of transmission and provides more opportunities for malicious actors to operate,” he noted.
Cybercriminals often target software supply chain attacks by taking advantage of vulnerabilities in victims’ applications, allowing them to install malware or steal data. But cybercriminals are increasingly turning their attention toward tools used by developers in creating products and services.
One tool in particular that attracts attackers is the Apache NetBeans IDE, an integrated development environment for Java programming. This IDE has become popular among thousands of software developers and is free and open-source.
Once a developer downloads an infected project from a GitHub repository, the malware activates and infects their machine with the Remote Access Trojan (RAT), sending information to cybercriminals. This enables them to take control of the affected machine and steal information which they then use against other machines or people.
Due to this vulnerability, millions of IoT devices are at risk as attackers can access and steal sensitive data. Furthermore, it’s more challenging to remove than other types of cybercriminal infections as the source code remains on the machine.
Mirai
Recently, the source code for Mirai malware, which powered last month’s historic DDoS attack against KrebsOnSecurity was discovered on GitHub. This provides hackers with an easier opportunity to construct new botnets, potentially placing millions of IoT devices at risk.
Malware is an invaluable weapon for cybercriminals, enabling them to launch DDoS attacks against websites, web applications, APIs and other IT infrastructure by flooding them with automated requests. This enables highly disruptive and destructive attacks which often involve blackmailing victims in order to extract protection money.
Once an infected device is compromised, it can be turned into a zombie that can be remotely controlled by the malware creator. It will then be connected to central command and control (C&C) infrastructure which could then launch DDoS attacks against other computers and networks around the world.
According to a recent report, the Mirai botnet has seen an exponential rise in popularity since it was released into the wild. Researchers have discovered multiple variants of this malware, each with unique capabilities that make detection and blocking more challenging.
Due to this, threat actors have started selling access to botnets built with Mirai source code to hackers who seek new ways of breaching organizations and stealing confidential data. According to Intel471, Mirai has significantly contributed to the growth of the Internet of Things (IoT) malware market and many more similar botnets are likely to appear in the future.
The botnet scans the Internet for IoT devices protected by factory default or hardcoded usernames and passwords, then attempts to crack them using brute-force methods. After obtaining login credentials, it connects to C&C infrastructure and launches attacks against targets.
However, even after your device has been infiltrated by Mirai, it may still be possible to stop its attacks by exploiting a stack buffer overflow vulnerability in its code. Scott Tenaglia of Endpoint firm Invincea reported finding three vulnerabilities in Mirai’s code; one of which can be used to crash HTTP flood attacks against it.
Gafgyt
IoT botnets have become a common tool in cybercrime, enabling threat actors to launch distributed denial-of-service (DDoS) attacks and steal sensitive information. Security firms have recently tracked various IoT malware botnets and observed their popularity increasing. Particularly popular among cybercriminals are Mirai and Gafgyt botnets which can quickly be modified with new exploits by malicious actors.
The malware source code was discovered on GitHub, a public repository for software and applications. Malware authors often use GitHub to publish their code, making it accessible to the public. This makes it easier for attackers to identify vulnerabilities and use them to infect millions of IoT devices with malicious code.
In this instance, malware is targeting routers manufactured by Huawei and Asus that have known security flaws. To protect these devices, researchers suggest updating their firmware and software as well as changing default credentials.
Gafgyt also plans to exploit other IoT devices like cameras, DVRs and printers by employing various DDoS attacks such as UDP flooding and sendHTTPHex; similar to the TCP flood attacks seen in leaked Mirai source code.
This campaign also targets SonicWall’s Global Management System and Apache Struts, two web application frameworks. These vulnerabilities could enable malicious actors to execute remote code execution, access sensitive information and launch DDoS attacks.
The malware spreads by brute forcing, which involves connecting to random IP addresses and trying to login using default usernames and passwords. After failing, it reports back to a command and control (C2) server for further instructions.
Keksec, a threat group specializing in crypto mining and DDoS attacks, appears to be running this campaign. Additionally, they own the Moobot botnet which could be utilized for targeted DDoS attacks against SOHO devices and IoT gadgets.
Furthermore, the attackers behind this new campaign are targeting a broad range of IoT devices as well as Linux servers and Windows-based machines. This makes Gafgyt botnet an especially dangerous malware for network administrators to monitor, since its attack traffic log indicates coordinated attacks against multiple types of devices and services.
