A newly discovered GoLang-Based botnet called HinataBot has been observed exploiting known vulnerabilities to infiltrate routers and servers and launch distributed denial-of-service (DDoS) attacks. It appears to have been named after a character from the popular anime series Naruto, with file name structures such as “Hinata-OS>-Architecture”.
Akamai’s Security Intelligence Response Team (SIRT) has identified Mirai-based malware as capable of communicating with a command-and-control (C2) server to receive instructions and launch attacks against an IP address for an established duration. It has been observed using both infection scripts and full payloads alike.
Akamai’s Security Intelligence Response Team (SIRT)
Akamai has identified a GoLang-based botnet called HinataBot that is capable of launching DDoS attacks up to several terabytes in volume. Researchers from Akamai’s Security Intelligence Response Team (SIRT) have detected evidence of this botnet in HTTP and SSH honeypots.
Naruto Bot is a malicious attack designed to overwhelm targeted devices with excessive data transmission. According to Akamai’s SIRT report, this attack can reach up to 3.3 TBPS in speed.
The botnet relies on outdated vulnerabilities and brute force attacks to distribute its payloads, underscoring the importance of strong passwords and patching policies. Furthermore, this serves as a reminder that threat actors are constantly seeking new ways to compromise networks and servers, making keeping your network protected essential.
Akamai’s SIRT team conducts vulnerability research and reverse-engineering as part of their ongoing commitment to keeping customers and the Internet secure. These activities give the company insight into how attackers are exploiting vulnerabilities, enabling them to build more effective defenses against such risks.
In addition to malware analysis, the team also investigates DDoS threats and provides training and education to Akamai clients. Comprised of specialists such as malware analysts, reverse engineering specialists, threat analysis specialists, and writing specialists, the group offers a comprehensive service.
They spend time reviewing data and traffic, drawing upon their extensive expertise to identify trends and patterns. This information is then shared across the organization in order to detect and address cyber-attacks quickly and effectively.
According to the report, researchers identified HinataBot in HTTP and SSH honeypots; however, they believe its authors are actively updating its evasion techniques. To gain a more in-depth understanding of HinataBot’s functionalities and distinct attributes, they employed reverse engineering techniques along with simulated attacks to replicate its command and control (C2) server.
Akamai’s SIRT has been closely monitoring Mirai since its inception, and the team observed similarities. The Go-based botnet appears to be using tried-and-true techniques similar to Mirai in order to upgrade its evasion techniques. The team said they will continue monitoring this threat; organizations are encouraged to update firmware on affected products while keeping an eye on the botnet in real-time.
HinataBot’s Attack Methods
Akamai researchers recently identified HinataBot, a Golang-based botnet that utilizes router and server vulnerabilities for DDoS attacks. The botnet is actively being developed and upgraded, according to their technical report.
Akamai’s SIRT team discovered that the botnet is being spread via HTTP and SSH honeypots that use outdated vulnerabilities and weak credentials, according to their research. The malware attempts to exploit security holes in Realtek SDK devices with CVE-2014-8361, Huawei HG532 routers with CVE-2017-17215, as well as exposed Hadoop YARN servers (CVE-N/A).
Akamai’s research has identified HinataBot as using 512 processes to launch DDoS attacks via HTTP and UDP flooding techniques. It generates and sends hard-coded data packets at specific intervals, with HTTP packet sizes ranging between 484 and 589 bytes, while UDP data size stands at 65,549 bytes.
Akamai’s research revealed that HinataBot generates and sends tens of thousands of requests per second. With just 1,000 nodes, this botnet could deliver an immense 3.3 Tbps in data volume.
DDoS attacks are a serious issue, as they can bring down entire data centers and cause reboots or hardware malfunctioning.
One of the primary reasons DDoS attacks have become so commonplace is their capacity to disrupt online platforms and services. Furthermore, they can be utilized to gain access to sensitive information or even cause hacktivism.
HinataBot’s potential to launch a massive DDoS attack makes it an even greater danger. At present, it only supports HTTP and UDP attacks, but development is expected to accelerate steadily over time.
Therefore, organisations should update firmware of affected devices and check for IOC updates. Doing this can help them prevent future infections caused by this botnet and others like it.
The threat actors behind the new Go-based HinataBot malware have been active since December 2022, initially using a generic Mirai variant before switching to their own malware in January 2023. Their ongoing development indicates they could potentially implement more exploits and expand their targeting scope at any time.
HinataBot’s Components
DDoS attacks aim to overwhelm a target’s infrastructure with an excessive volume of internet traffic, disrupting service. They may be motivated by various reasons such as revenge, blackmail or hacktivism.
Attackers often employ multiple machines to generate more attack traffic and remain stealthier than single systems, making detection or blocking them more challenging. Furthermore, attackers may use spoofing techniques to forge IP sender addresses and obscure legitimate user traffic from malicious activity.
HinataBot initially targeted routers from various vendors and bombarded them with HTTP and UDP traffic. Over time, however, the botnet has narrowed its focus to only using HTTP and UDP attacks – a more efficient strategy for producing large amounts of attack traffic.
Akamai researchers recently identified the HinataBot variant in its HTTP and SSH honeypots, where it has been seen exploiting vulnerabilities dating back to 2014. The most frequent observed infection methods employed by this botnet involved exploiting remote code execution (RCE) vulnerabilities in miniigd SOAP service of Realtek SDK devices (CVE-2014-8361) and Huawei HG532 routers (CVE-2017-17215).
HinataBot’s discovery raises an urgent question: Are organizations prepared to proactively assess their environment for unpatched vulnerabilities and weak credentials? This is essential in order to prevent threats like HinataBot from invading networks, while it also serves as evidence that cybercriminals continue to leverage overlooked or low-hanging resources in order to circumvent detection, constantly improve, and add new functionality.
For instance, attackers have frequently targeted the Memcached memory cache daemon to accelerate web-based transactions and data transmissions. Unfortunately, there are many instances where this daemon isn’t properly secured and leaves you open to an attack.
Additionally, unsecured Internet-of-Things (IoT) devices and the Mirai botnet serve as examples of how cybercriminals can turn connected devices into zombies for DDoS attacks. These types of campaigns typically aim to collect information or cause harm to specific industries or geographies.
Organizations are increasingly utilizing automated threat detection systems, such as those provided by the U.S. Computer Security Incident Response Team (CISA). These tools enable businesses to track and monitor attack patterns in real-time, helping them prevent DDoS attacks before they take place.
HinataBot’s Distribution
A new GoLang-based botnet that focuses on DDoS attacks has been discovered by Akamai’s Security Intelligence Response Team (SIRT) cybersecurity researchers. It’s called HinataBot and reportedly has the ability to launch DDoS attacks reaching 3.3 terabytes per second (TBPS).
The threat actors behind this new botnet have been active since at least December 2022, but began developing their own malware in mid-January 2023. The Go-based botnet exploits router and server flaws, including Realtek SDK devices’ miniigd SOAP service (CVE-2014-8361) and Huawei HG532 routers with CVE-2017-17215, as well as exposed Hadoop YARN servers with weak credentials. The attackers use brute force, RCE payloads, and infection scripts to spread the malware.
Once an infection is achieved, the botnet remains stealthy and waits for commands from a command-and-control (C2) server. This resembles the structure of other public Go-based Mirai variants.
While the malware is currently able to attack using HTTP and UDP floods, it can potentially expand its targeting scope to other protocols as the threat actors evolve their implementation methods and languages. This is particularly true of the newer versions, which feature functional improvements and anti-analysis additions to make analysis harder.
The malware is based on Mirai, but has been modified to add functionality and resistance to analysis. During a DDoS attack, it sends hardcoded data packets to its target for a specified duration. These packets can be particularly large, with UDP flooding generating data volumes that reach 3.3 Tbps. However, these are theoretical capabilities only. The real impact of these attacks depends on the number of nodes and bandwidth capabilities, among other factors.
