Friday, March 29, 2024

HinataBot – A New Botnet Could Launch Massive 3.3 Tbps DDoS Attacks

The security analysts at Akamai recently identified a new botnet called HinataBot, based on Golang. Apart from this, HinataBot has been observed exploiting the already-known security flaws in routers and servers to gain unauthorized access to launch DDoS attacks.

At the beginning of the year, researchers uncovered this new botnet that had been operating for quite some time. While it has been discovered that HinataBot targets the following routers and servers:-

  • Realtek SDK devices
  • Huawei HG532 routers
  • Hadoop YARN servers

Exploiting Known Flaws

In the malware binaries, a character from the popular anime series Naruto appears to have been given a name by the malware author.

Akamai’s SIRT found HinataBot within HTTP and SSH honeypots exploiting the old known vulnerabilities, and here below we have mentioned them:-

  • CVE-2014-8361
  • CVE-2017-17215

Distribution

As early as mid-January 2023, Mirai binaries were distributed by HinataBot’s operators, which was the first time it appeared.

The HinataBot Botnet underwent active development with the addition of several improvements and new features as recently as March 2023. While the cybersecurity researchers confirmed this at Akamai during the analysis of active campaigns, they caught multiple samples of the botnet.

Several attacks have taken place due to unpatched vulnerabilities and weak credentials, representing an easy entry point for the threat actors without using sophisticated tactics.

Since December 2022, the HinataBot botnet has been active. As of January 11, 2023, they began using their own custom malware to conduct the attacks, following the use of a generic Go-based Mirai variant as the initial attack.

The experts have not yet observed a real-life attack since the C2 is currently down. The trackers are not yet connected. However, the process of doing so is currently underway.

The primary goal of the researchers is to be able to observe closely if they become active again in the future.

Massive DDoS Capability

A number of particularly notable functions came to light during the analysis. Three distinct attack functions immediately caught their attention, and here they are mentioned below:-

  • sym.main.startAttack
  • sym.main.http_flood
  • sym.main.udp_flood
HinataBot

Infection scripts and RCE payloads for known vulnerabilities are used in order to distribute malware through brute-force attacks on SSH endpoints.

Once a device is infected, the malware quietly runs, waiting for command and control server instructions to be executed. 

In order to observe HinataBot in action and infer the malware’s attack capabilities, Akamai’s analysts designed their own C2 and interacted with simulated infections.

Here below, we have mentioned the floods that are supported by older versions of HinataBot:-

While in the case of the new version of HinataBot, only HTTP and UDP floods are supported. But, the botnet can perform very powerful DDoS attacks even with just two attack modes.

Considering that there can be 10,000 bots in an attack, a UDP flood may peak over 3.3 Tbps, making it a powerful attack. There is a difference between the HTTP attack command and the UDP attack command. 

In both cases, 512 workers are created for a worker pool and assigned a fixed duration for a defined period to send data packets to all predefined targets.

There is a range of 484 to 589 bytes in the size of an HTTP packet. Many null bytes are included in the UDP packets generated by HinataBot, which can overwhelm the target with a significant amount of traffic.

HinataBot

The two methods utilize different approaches to achieve the same result; HTTP floods generate heavy traffic to the website, whereas UDP floods send garbage to the target.

It generated 20,430 requests for a total of 3.4MB for the HTTP attack; Akamai benchmarked the botnet in 10-second attacks for HTTP and UDP. The UDP flood generated 421 MB of data, about 6,733 packages.

There is still room for improvement in HinataBot Botnet, and it is likely to implement additional exploits and expand its targeting capabilities at any time.

Building Your Malware Defense Strategy – Download Free E-Book

Website

Latest articles

Compromised SaaS Supply Chain Apps: 97% of Organizations at Risk of Cyber Attacks

Businesses increasingly rely on Software as a Service (SaaS) applications to drive efficiency, innovation,...

IT and security Leaders Feel Ill-Equipped to Handle Emerging Threats: New Survey

A comprehensive survey conducted by Keeper Security, in partnership with TrendCandy Research, has shed...

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse...

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles