September 22, 2023

A new Go-based malware named Hinata is the latest botnet focused on DDoS attacks. This is named after a character from the popular anime series Naruto.

Researchers named the new botnet HinataBot. Threat actors behind  this have been active since at least December 2022, but only began developing their own malware in mid-January 2023. As per the researchers still they haven’t been able to observe attacks outside of launching them at themselves so far.

A sample of the malware was discovered in HTTP and SSH honeypots abusing weak credentials and old remote code execution vulnerabilities — one dating back almost a decade. The Akamai researchers said the infection attempts they observed include the exploitation of the mined SOAP service on Realtek SDK devices (CVE-2014-8361), Huawei HG532 routers (CVE-2017-17215), and exposed Hadoop YARN servers (CVE N/A).

Advertisements

Organisations deploy services and forget about managing the infrastructure. Attackers continue to find these resources and then use them to further attacks on other organizations. The exploitation of a vulnerability that was nearly 10-years-old.

A new DDoS botnet simply means more resources used by criminals to attempt to knock services offline. So, using DDoS protection services remains important because it’s only a growing attack particularly in a period of geopolitical and economic turmoil.

Go has become best known for its ability to cross-compile for different architectures and its ease of use, which makes it attractive to threat actors

Regardless of what language malware is written in, threat actors still must land their payload. The selected language may give an attacker some more options, but properly configured and maintained defenses will still reduce an organization’s threat surface

This research was documented by researchers from Akamai

Advertisements

Indicators of Compromise

IP Address

  • 77.73.131.247
  • 156.236.16.237
  • 185.112.83.254

Ports

  • 61420
  • 4120

CVEs

  • CVE-2017-17215
  • CVE-2014-8361

File Names

  • tftp.sh
  • wget.sh
  • hinata-linux.amd64
  • hinata-windows-arm5
  • hinata-plan9-arm5
  • hinata-openbsd-arm5
  • hinata-netbsd-arm5
  • hinata-linux-arm5
  • hinata-freebsd-arm5
  • hinata-windows-arm7
  • hinata-windows-arm64.exe
  • hinata-windows-arm6
  • hinata-windows-arm
  • hinata-windows-amd64.exe
  • hinata-windows-386.exe
  • hinata-solaris-amd64
  • hinata-plan9-arm7
  • hinata-plan9-arm6
  • hinata-plan9-arm
  • hinata-plan9-amd64
  • hinata-plan9-386
  • hinata-openbsd-mips64
  • hinata-openbsd-arm7
  • hinata-openbsd-arm64
  • hinata-openbsd-arm6
  • hinata-openbsd-arm
  • hinata-openbsd-amd64
  • hinata-openbsd-386
  • hinata-netbsd-arm7
  • hinata-netbsd-arm64
  • hinata-netbsd-arm6
  • hinata-netbsd-arm
  • hinata-netbsd-amd64
  • hinata-netbsd-386
  • hinata-linux-s390x
  • hinata-linux-riscv64
  • hinata-linux-ppc64le
  • hinata-linux-ppc64
  • hinata-linux-mipsle
  • hinata-linux-mips64le
  • hinata-linux-mips64
  • hinata-linux-mips
  • hinata-linux-arm7
  • hinata-linux-arm64
  • hinata-linux-arm6
  • hinata-linux-arm
  • hinata-linux-amd64
  • hinata-linux-386
  • hinata-js-wasm
  • hinata-illumos-amd64
  • hinata-freebsd-arm7
  • hinata-freebsd-arm64
  • hinata-freebsd-arm6
  • hinata-freebsd-arm
  • hinata-freebsd-amd64
  • hinata-freebsd-386
  • hinata-dragonfly-amd64
  • hinata-darwin-arm64
  • hinata-darwin-amd64
  • hinata-android-arm64
  • hinata-aix-ppc64

Hashes

  • 01422e34b2114c68cdb6ce685cd2e5673bbe5652259a0c4b862d5de2824a9375
  • 1b958fd718f1419700c53fed10807e873e8399c354877b0a3dfceac7a8581456
  • 8a84dc2a9a06b1fae0dd16765509f88f6f54559c36d4353fd040d02d4563f703
  • 4aba67fdd694219ff0dff07ebd444ed154edacc00c3a61f9b661eabe811a0446
  • 71154ad6bd1a8a79fc674c793bb82b8e7d1371eca0f909c6e4a98ef8e7f5d1da
  • c6a7e25290677cc7b9331343166b140f2c320764a815b241747e6913b1a386d9
  • 92adfbe6aae06d7c99469aeb6551db8eee964b589f2b8774e29d987cfbd0e0d6
  • 8eda08ce362c09b5f45772467f94d5370068c1798f78c5316f15647ac898c621
  • ff7638c0c893c021c3a059a21a71600249881afd84dc0d751d99db1c8edd3cac
  • a3fac6fea9201c3c3eaae47bd95e0be93e91298e48df75540958834f9e75ac4d
  • 9875bb9dd6d159a3b327de80e151ef7f3831c0d6833ae781490d68e426b73680
  • 6ec35ef48ffdf9a92aa8845c336b327c280e1f20d7130ba0856540aed3233bbc
  • C0aa34dd8dbf654d5230d4ef1db61f9befc89a0ea16cb7757edbf8a8090c9146
  • 5643bf01e113de246575a9ec39ea12a85f9babb6ac069132ad8d1a7bfa56ed1b
  • 845134ee7335f07b23e081f024cad5cbfc9ef453d6e2adc7970d6543292e5bcc
  • 995681f388f5e0a405c282ae9ce22dc41f2249f0f5208254e1eec6e302d7ad7d
  • 07326cce5325eabbe1caa2b3f8a4ab78e7913b65703c0afc3bab808441c30688
  • 61181b4b7b7040ce4ab9c489a2b857f5a7fe8407c422327fff798f3b55e0cbe3
  • 75c050580725279a6592eecc2b02b6fa78f5469c2f08fb1d0e2fe616beb8bf0d
  • E3427838132b6161f10e77d0beca1beac90c63a8ccc4aabd523041aec25aab67

Leave a Reply

%d bloggers like this: