Saturday, June 15, 2024

HinataBot – A New Botnet Could Launch Massive 3.3 Tbps DDoS Attacks

The security analysts at Akamai recently identified a new botnet called HinataBot, based on Golang. Apart from this, HinataBot has been observed exploiting the already-known security flaws in routers and servers to gain unauthorized access to launch DDoS attacks.

At the beginning of the year, researchers uncovered this new botnet that had been operating for quite some time. While it has been discovered that HinataBot targets the following routers and servers:-

  • Realtek SDK devices
  • Huawei HG532 routers
  • Hadoop YARN servers

Exploiting Known Flaws

In the malware binaries, a character from the popular anime series Naruto appears to have been given a name by the malware author.

Akamai’s SIRT found HinataBot within HTTP and SSH honeypots exploiting the old known vulnerabilities, and here below we have mentioned them:-

  • CVE-2014-8361
  • CVE-2017-17215


As early as mid-January 2023, Mirai binaries were distributed by HinataBot’s operators, which was the first time it appeared.

The HinataBot Botnet underwent active development with the addition of several improvements and new features as recently as March 2023. While the cybersecurity researchers confirmed this at Akamai during the analysis of active campaigns, they caught multiple samples of the botnet.

Several attacks have taken place due to unpatched vulnerabilities and weak credentials, representing an easy entry point for the threat actors without using sophisticated tactics.

Since December 2022, the HinataBot botnet has been active. As of January 11, 2023, they began using their own custom malware to conduct the attacks, following the use of a generic Go-based Mirai variant as the initial attack.

The experts have not yet observed a real-life attack since the C2 is currently down. The trackers are not yet connected. However, the process of doing so is currently underway.

The primary goal of the researchers is to be able to observe closely if they become active again in the future.

Massive DDoS Capability

A number of particularly notable functions came to light during the analysis. Three distinct attack functions immediately caught their attention, and here they are mentioned below:-

  • sym.main.startAttack
  • sym.main.http_flood
  • sym.main.udp_flood

Infection scripts and RCE payloads for known vulnerabilities are used in order to distribute malware through brute-force attacks on SSH endpoints.

Once a device is infected, the malware quietly runs, waiting for command and control server instructions to be executed. 

In order to observe HinataBot in action and infer the malware’s attack capabilities, Akamai’s analysts designed their own C2 and interacted with simulated infections.

Here below, we have mentioned the floods that are supported by older versions of HinataBot:-

While in the case of the new version of HinataBot, only HTTP and UDP floods are supported. But, the botnet can perform very powerful DDoS attacks even with just two attack modes.

Considering that there can be 10,000 bots in an attack, a UDP flood may peak over 3.3 Tbps, making it a powerful attack. There is a difference between the HTTP attack command and the UDP attack command. 

In both cases, 512 workers are created for a worker pool and assigned a fixed duration for a defined period to send data packets to all predefined targets.

There is a range of 484 to 589 bytes in the size of an HTTP packet. Many null bytes are included in the UDP packets generated by HinataBot, which can overwhelm the target with a significant amount of traffic.


The two methods utilize different approaches to achieve the same result; HTTP floods generate heavy traffic to the website, whereas UDP floods send garbage to the target.

It generated 20,430 requests for a total of 3.4MB for the HTTP attack; Akamai benchmarked the botnet in 10-second attacks for HTTP and UDP. The UDP flood generated 421 MB of data, about 6,733 packages.

There is still room for improvement in HinataBot Botnet, and it is likely to implement additional exploits and expand its targeting capabilities at any time.

Building Your Malware Defense Strategy – Download Free E-Book


Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles