HinataBot and the Evolution of IoT Malware 

How the Mirai botnet creators used Golang to make it even more sophisticated and dangerous

A new botnet called HinataBot, developed using the Go programming language, has been discovered by Akamai’s Security Intelligence Response Team. This botnet has been active since the beginning of 2023 and is actively updated by its authors. The malware was distributed by abusing old vulnerabilities and weak credentials, including exploitation of the miniigd SOAP (Simple Object Access Protocol) service on Realtek SDK devices, Huawei HG532 routers, and exposed Hadoop Yet Another Resource Negotiator (YARN) servers.  

Mirai is a type of malware that targets Internet of Things (IoT) devices, such as routers, IP cameras, and digital video recorders, and turns them into a botnet that can be used to launch distributed denial of service (DDoS) attacks. Mirai first appeared in August 2016 and quickly gained notoriety for its ability to launch massive DDoS attacks. 

The emergence of HinataBot represents a significant evolution of IoT malware and a potential threat to internet infrastructure. The fact that HinataBot has been developed by former Mirai hackers makes it particularly concerning, as they have a proven track record of developing powerful and disruptive botnets. 

The Evolution of Mirai  

The Mirai botnet has evolved significantly since its first appearance. Here is a detailed look at some of the noteworthy events that have shaped the evolution of Mirai: 

  • August 2016: The first version of Mirai is discovered by security researchers. The botnet is used to launch a DDoS attack against the website of journalist Brian Krebs. The attack peaked at 620 Gbps, which at the time was more than twice the size of the previous record. 
  • September 2016: Mirai is used to launch a series of DDoS attacks against internet service provider (ISP) Dyn, which disrupts access to major websites like Twitter, Reddit, and Netflix. The attack peaks at 1.2 Tbps, making it one of the largest DDoS attacks ever recorded. This event highlights the potential damage that can be caused by a powerful botnet like Mirai. 
  • October 2016: The source code for Mirai is released publicly on the internet, which allows other cybercriminals to create their own versions of the botnet. This leads to a proliferation of Mirai variants, which makes it more difficult for security researchers to track and defend against the botnet. 
  • November 2016: An updated version of Mirai, known as “Satori,” is discovered. It is more advanced than the original version and has additional features, such as the ability to infect devices running on the ARM architecture. This updated version of Mirai demonstrates that the botnet’s creators are continuously improving and evolving the malware. 
  • January 2017: Another latest version of Mirai, known as “Hajime,” is discovered. Unlike previous versions, Hajime is designed to be stealthier and does not have a command-and-control server. This makes it more difficult for security researchers to track and shut down the botnet. 
  • September 2017: A recent version of Mirai, known as “OMG,” is discovered. It is designed to target devices running on Acquisition Resource Center (ARC) processors and is considered one of the most sophisticated versions of Mirai. This updated version of Mirai is notable for its ability to evade detection by security software. 
  • February 2018: A new variant of Mirai, known as “Okiru,” is discovered. It is designed to target devices running on the Microprocessor without Interlocked Pipelined Stages (MIPS) architecture and is notable for being written in the Go programming language, which makes it more efficient and harder to detect. This recent version of Mirai demonstrates that the botnet’s creators are constantly looking for new ways to improve and evolve the malware. 

The New Generation of Mirai 

One of the most significant aspects of HinataBot is its efficiency. According to researchers, it can generate DDoS traffic at a rate of over 3 Tbps, making it more powerful than even the most vicious Mirai attacks. This is achieved with far fewer resources than Mirai, which makes it more dangerous and difficult to detect and mitigate. 

For perspective, if HinataBot can generate DDoS traffic at 3 Tbps, it would be more than twice the size of the Mirai attack, making it one of the largest DDoS attacks ever recorded. Such a powerful botnet could cause significant disruptions to the targeted websites and services, potentially taking them offline for extended periods of time. 

Golang (Go) Programming Language 

One of the factors that have contributed to HinataBot’s efficiency is the programming language it is written in. Golang, the high-level programming language used to develop HinataBot, is more efficient and provides better error handling and memory management than traditional programming languages like C and C++. This allows malware authors to create powerful and resource-efficient botnets like HinataBot. 

Golang (Go) has built-in support for concurrency, which makes it easier to write code that can handle multiple tasks simultaneously. This is important for malware authors who want to create botnets that can perform a variety of tasks, such as scanning for vulnerable devices, infecting them, and launching DDoS attacks. It also is a cross-platform language that can run on multiple operating systems and hardware architectures, meaning it is easier for malware authors to write code that can infect a wide range of devices and platforms. 

Go is a new programming language, which means that it is still evolving and improving. However, it is designed to be easy to learn and use, with a simple syntax and structure. This makes it an attractive option for malware authors who may not have extensive programming experience. Because Go is a new programming language, there are fewer security tools and techniques available for detecting malware written in this language. This makes it easier for malware authors to evade detection and remain hidden for longer periods of time. 

Malware authors are switching to using Golang for malware development because it provides several advantages over traditional programming languages and as Go becomes more mainstream, malware authors are increasingly using it to develop powerful and efficient botnets like HinataBot. 

HinataBot Technical Details 

HinataBot’s infection campaigns involve a mix of infection scripts and full payloads using two primary vulnerabilities: a Hadoop YARN RCE (Remote Code Execution) and a vulnerability in the miniigd SOAP service within Realtek SDK devices. The attackers used multiple versions of infector scripts, which were updated over time. In SSH (Secure Shell) honeypots, the attackers used brute-force tactics to gain access, attempting common username and password combinations. 

HinataBot was distributed as Go binaries designed to run on various architectures and operating systems. The attackers developed specialized payloads for multiple platforms, likely due to ease of cross-compilation, as well as the prevalence of IoT and small office/home office devices running less common Central Processor Unit (CPU) architectures. 

The attackers also leveraged the distribution IP as a pivot, allowing them to identify two additional IPs previously used for distribution. Prior to developing their own Go-based malware, the attackers attempted to distribute a generic Mirai variant. 

The threat actors behind HinataBot have been active since at least December 2022, but only began developing their own malware in mid-January 2023. Since then, multiple iterations of the malware and various pivots in infection techniques have been observed. The primary Internet Protocol (IP) utilized for distribution and command and control (C2) connections has a history of participation in spam and malware distribution, but it is not entirely clear at this point if the IP is malicious by design or just compromised and being abused. 

HinataBot’s infection campaign involves exploiting known vulnerabilities and using various infector scripts to distribute Go-based malware designed to run on multiple platforms. The threat actors behind HinataBot have been active for several months and are constantly evolving their tactics and tooling. Organizations should take steps to defend against HinataBot and other emerging Go-based threats by implementing robust security measures and keeping their security tools up to date. 
Implications 

The emergence of HinataBot is concerning as it represents a new and evolving threat to IoT devices and internet infrastructure. The fact that it is written in Go means that it is efficient, powerful, and potentially harder to detect and mitigate. 

HinataBot’s large size and lack of specific identification around its newer hashes make it particularly difficult to detect and defend against. Additionally, the use of naming conventions related to popular anime series like Naruto may be an attempt to evade detection by security tools that use keyword filtering. 

The use of various methods of communication, including dialing out and listening for incoming connections, and its ability to launch DDoS attacks using multiple protocols, including hypertext transfer protocol (HTTP), user datagram protocol (UDP), transmission control protocol (TCP), and internet control message protocol (ICMP), make HinataBot a versatile and dangerous botnet. However, the latest version of HinataBot has narrowed down its attack methods to only HTTP and UDP attacks. 

The emergence of HinataBot is part of a growing trend of malware authors using Go to develop powerful and efficient botnets. As such, organizations should take steps to defend against potential DDoS attacks, including implementing robust security measures, conducting regular vulnerability scans, and working with their internet service providers to mitigate attacks. 

HinataBot is a concerning new threat to IoT devices and internet infrastructure that utilizes a high-performance programming language to make it efficient, powerful, and potentially harder to detect and mitigate. Organizations should take steps to defend against this new botnet and other emerging Go-based threats by implementing robust security measures and keeping their security tools up to date. 

Conclusion: HinataBot is a Significant Threat to IoT Devices 

Despite its potential for harm, there are some reasons for optimism regarding HinataBot. Unlike Mirai, which took advantage of novel vulnerabilities in IoT devices, HinataBot leverages weaknesses and CVEs (Common Vulnerabilities and Exploits) already known to the security community and utilized by other botnets. This means that the fundamental security principles for defending against this kind of threat, such as strong password policies and dutiful patching, are still sufficient. However, the possibility remains that HinataBot could evolve and become more dangerous over time, particularly if the botnet’s authors become more creative in their distribution and infection techniques. 

The emergence of HinataBot represents a significant threat to IoT devices and internet infrastructure. As with other botnets, organizations should take steps to defend against potential DDoS attacks, including implementing robust security measures, conducting regular vulnerability scans, and working with their internet service providers to mitigate attacks. The rapid development and evolution of IoT malware like HinataBot highlights the importance of continually improving and adapting security measures to stay ahead of the threat landscape. 

HinataBot is the latest example of the evolving threat landscape, particularly in relation to botnets. Malware authors are continuing to innovate their use of implementation methods, languages, and distribution methods. By leaning on older, proven techniques, such as those used within Mirai, attackers can focus more on curating pieces that evade detection, continuously evolve, and add new functionality. 

By continuing to explore and analyze evolving threats such as HinataBot, we can better understand the tactics, techniques, and procedures of attackers to develop more robust defenses against them. The HinataBot family relies on old vulnerabilities and brute forcing weak passwords for distribution. This is yet another example of why strong password and patching policies are more critical than ever. Attackers are always looking for low-hanging fruit with high return on investment, so making it more difficult for attacks to be successful helps significantly in keeping your environment and the internet safe. 

This is likely just the beginning for HinataBot. The Critical Start Cyber Threat Intelligence (CTI) Team will continue to monitor its evolution over time and report new findings when relevant. Critical Start customers are protected from the two attack capabilities this botnet supports. 


You may also be interested in…

Stay Connected on Today’s Cyber Threat Landscape

  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
Join us at RSA Conference - booth #449 South!
This is default text for notification bar