"Millions of Routers, IoT Devices at Risk as Malware Source Code Surfaces on GitHub"
The authors of BotenaGo have uploaded the malware's source code to GitHub for other criminals to use as is or develop new variants. In November 2021, cybersecurity researchers at AT&T Alien Labs first discovered BotenaGo, which leverages more than 30 different vulnerabilities in products from Linksys, D-Link, Netgear, and other vendors. As it uses over 30 vulnerabilities, BotenaGo could impact millions of routers and IoT devices, warned the researchers. The malware is written in the Go programming language, which has been growing in popularity among developers and malware authors. According to the researchers, BotenaGo executes remote shell commands on systems in which it exploited a vulnerability. An analysis revealed that the malware uses two different methods to receive commands for targeting victims, one of which involves two backdoor ports for listening to and receiving targeted devices' IP addresses. The researchers also found that BotenaGo's payload links are similar to those used by the operators of the Mirai botnet, leading Alien Labs to believe that BotenaGo is a new tool that the Mirai operators are using to target specific machines known to them. The unknown authors' decision to make BotenaGo's source code publicly available through GitHub could result in an increase in BotenaGo variants as other threat actors use the source code for their own attack campaigns. Alien Labs already observed new BotenaGo samples being used to spread Mirai botnet malware on IoT devices and routers. One of BotenaGo's payload servers is also listed in the indicators of compromise for the Log4j vulnerabilities. BotenaGo malware has 2,891 lines of code, making it a good starting point for several new variants. Alien Labs expects to see new campaigns involving BotenaGo variants targeting routers and IoT devices globally. This article continues to discuss the leak of BotenaGo malware code to GitHub as well as the discovery and potential impact of the malware.