HinataBot – A New Botnet Could Launch Massive 3.3 Tbps DDoS Attacks

The security analysts at Akamai recently identified a new botnet called HinataBot, based on Golang. Apart from this, HinataBot has been observed exploiting the already-known security flaws in routers and servers to gain unauthorized access to launch DDoS attacks.

At the beginning of the year, researchers uncovered this new botnet that had been operating for quite some time. While it has been discovered that HinataBot targets the following routers and servers:-

  • Realtek SDK devices
  • Huawei HG532 routers
  • Hadoop YARN servers

Exploiting Known Flaws

In the malware binaries, a character from the popular anime series Naruto appears to have been given a name by the malware author.

Akamai’s SIRT found HinataBot within HTTP and SSH honeypots exploiting the old known vulnerabilities, and here below we have mentioned them:-

  • CVE-2014-8361
  • CVE-2017-17215

Distribution

As early as mid-January 2023, Mirai binaries were distributed by HinataBot’s operators, which was the first time it appeared.

The HinataBot Botnet underwent active development with the addition of several improvements and new features as recently as March 2023. While the cybersecurity researchers confirmed this at Akamai during the analysis of active campaigns, they caught multiple samples of the botnet.

Several attacks have taken place due to unpatched vulnerabilities and weak credentials, representing an easy entry point for the threat actors without using sophisticated tactics.

Since December 2022, the HinataBot botnet has been active. As of January 11, 2023, they began using their own custom malware to conduct the attacks, following the use of a generic Go-based Mirai variant as the initial attack.

The experts have not yet observed a real-life attack since the C2 is currently down. The trackers are not yet connected. However, the process of doing so is currently underway.

The primary goal of the researchers is to be able to observe closely if they become active again in the future.

Massive DDoS Capability

A number of particularly notable functions came to light during the analysis. Three distinct attack functions immediately caught their attention, and here they are mentioned below:-

  • sym.main.startAttack
  • sym.main.http_flood
  • sym.main.udp_flood

Infection scripts and RCE payloads for known vulnerabilities are used in order to distribute malware through brute-force attacks on SSH endpoints.

Once a device is infected, the malware quietly runs, waiting for command and control server instructions to be executed. 

In order to observe HinataBot in action and infer the malware’s attack capabilities, Akamai’s analysts designed their own C2 and interacted with simulated infections.

Here below, we have mentioned the floods that are supported by older versions of HinataBot:-

While in the case of the new version of HinataBot, only HTTP and UDP floods are supported. But, the botnet can perform very powerful DDoS attacks even with just two attack modes.

Considering that there can be 10,000 bots in an attack, a UDP flood may peak over 3.3 Tbps, making it a powerful attack. There is a difference between the HTTP attack command and the UDP attack command. 

In both cases, 512 workers are created for a worker pool and assigned a fixed duration for a defined period to send data packets to all predefined targets.

There is a range of 484 to 589 bytes in the size of an HTTP packet. Many null bytes are included in the UDP packets generated by HinataBot, which can overwhelm the target with a significant amount of traffic.

The two methods utilize different approaches to achieve the same result; HTTP floods generate heavy traffic to the website, whereas UDP floods send garbage to the target.

It generated 20,430 requests for a total of 3.4MB for the HTTP attack; Akamai benchmarked the botnet in 10-second attacks for HTTP and UDP. The UDP flood generated 421 MB of data, about 6,733 packages.

There is still room for improvement in HinataBot Botnet, and it is likely to implement additional exploits and expand its targeting capabilities at any time.

Building Your Malware Defense Strategy – Download Free E-Book

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

IT and security Leaders Feel Ill-Equipped to Handle Emerging Threats: New Survey

A comprehensive survey conducted by Keeper Security, in partnership with TrendCandy Research, has shed light on the growing concerns within…

28 mins ago

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse engineering .NET malware.  The write-up outlines…

2 hours ago

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting the growing, widespread use and potential…

15 hours ago

C2A Security’s EVSec Risk Management and Automation Platform Gains Automotive Industry Favor as Companies Pursue Regulatory Compliance

In 2023, C2A Security added multiple OEMs and Tier 1s to its portfolio of customers, successful evaluations, and partnerships such…

16 hours ago

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and education. The latest update, Wireshark 4.2.4,…

18 hours ago

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered platform designed to redefine how we…

19 hours ago