A new malware botnet was discovered targeting Realtek SDK, Huawei routers, and Hadoop YARN servers to recruit devices into DDoS (distributed denial of service) swarm with the potential for massive attacks.
The new botnet was discovered by researchers at Akamai at the start of the year, who caught it on their HTTP and SSH honeypots, seen exploiting old flaws such as CVE-2014-8361 and CVE-2017-17215.
Akamai comments that HinataBot’s operators initially distributed Mirai binaries, while HinataBot first appeared in mid-January 2023. It seems to be based on Mirai and is a Go-based variant of the notorious strain.
After capturing multiple samples from active campaigns as recently as March 2023, Akamai’s researchers deduced that the malware is under active development, featuring functional improvements and anti-analysis additions.
Significant DDoS power
The malware is distributed by brute-forcing SSH endpoints or using infection scripts and RCE payloads for known vulnerabilities.
After infecting devices, the malware will quietly run, waiting for commands to execute from the command and control server.
Akamai’s analysts created a C2 of their own and interacted with simulated infections to stage HinataBot for DDoS attacks to observe the malware in action and infer its attack capabilities.
Older versions of HinataBot supported HTTP, UDP, ICMP, and TCP floods, but the newer variants only feature the first two. However, even with only two attack modes, the botnet can potentially perform very powerful distributed denial of service attacks.
While the HTTP and UDP attack commands differ, they both create a worker pool of 512 workers (processes) that send hardcoded data packets to the targets for a defined duration.
The HTTP packet size ranges between 484 and 589 bytes. The UDP packets generated by HinataBot are particularly large (65,549 bytes) and consist of null bytes capable of overwhelming the target with a large traffic volume.
HTTP floods generate large volumes of website requests, while UDP flood sends large volumes of garbage traffic to the target; hence the two methods attempt to achieve an outage using a different approach.
Akamai benchmarked the botnet in 10-second attacks for both HTTP and UDP, and in the HTTP attack, the malware generated 20,430 requests for a total size of 3.4 MB. The UDP flood generated 6,733 packages totaling 421 MB of data.
The researchers estimated that with 1,000 nodes, the UDP flood could generate roughly 336 Gbps, while at 10,000 nodes, the attack data volume would reach 3.3 Tbps.
In the case of the HTTP flood, 1,000 ensnared devices would generate 2,000,000 requests per second, while 10,000 nodes would take that number of 20,400,000 rps and 27 Gbps.
HinataBot is still in development and might implement more exploits and widen its targeting scope anytime. Furthermore, the fact that its development is so active increases the likelihood of seeing more potent versions circulating in the wild soon.
“These theorized capabilities obviously don’t take into account the different kinds of servers that would be participating, their respective bandwidth and hardware capabilities, etc., but you get the picture,” warns Akamai.
“Let’s hope that the HinataBot authors move onto new hobbies before we have to deal with their botnet at any real scale.”