A new HinataBot botnet has been discovered recently. It targets the Realtek SDK, Huawei routers and Hadoop YARN servers, and is focused on conducting large-scale DDoS attacks.
Akamai experts believe that the malware is based on the Mirai code and is a Go-based version of this malware.
By the way, the media wrote that Malware developers are increasing the use of the unusual programming languages.
Let me remind you that we also wrote that Botnet KmsdBot Attacks Gaming Companies and Luxury Car Manufacturers, and also that Cloud9 Botnet Attacks Chrome with Malicious Extensions.
Akamai honeypots (HTTP and SSH) were discovered by HinataBot in January 2023 when the malware exploited old vulnerabilities CVE-2014-8361 and CVE-2017-17215. Experts note that at first HinataBot operators distributed Mirai binaries, and only after that HinataBot appeared.
After collecting several malware samples from active campaigns in March 2023, the researchers concluded that the malware is still in development and has recently received a number of functional improvements and enhanced analysis protection.
HinataBot is mainly distributed through SSH brute force or through the use of scripts and the exploitation of known vulnerabilities. Once the device is infected, the malware will run on the compromised machine, waiting for commands from the command-and-control server.
Akamai analysts set up their own C&C server to stage a DDoS attack using HinataBot and watch the malware in action and draw conclusions about its attacking capabilities. Older versions of HinataBot reportedly supported flooding via HTTP, UDP, ICMP, and TCP, but only the first two options are active in newer versions. At the same time, analysts warn that even with two attack modes, a botnet is potentially capable of a lot.
Although the attack commands for HTTP and UDP are different, they both create a working pool of 512 workers (processes) that send hard-coded packets to victims over a period of time. HTTP packet size varies from 484 to 589 bytes. The UDP packets generated by HinataBot are particularly large (65,549 bytes) and consist of null bytes that can overwhelm the target with a large amount of traffic.
As a result, an HTTP flood generates large volumes of requests to target sites, and a UDP flood sends large amounts of junk traffic to the target.
Akamai tested the botnet in 10-second attacks, and the malware generated 20,430 requests for a total size of 3.4 MB in the HTTP attack, while the UDP flood generated 6,733 packets for a total of 421 MB.
Thus, the researchers calculated that, using 1000 nodes, a UDP flood can generate attacks with a power of approximately 336 Gb / s, and if there are 10,000 nodes, then the attack power will reach 3.3 Tb / s.
In the event of an HTTP flood, 1000 hijacked devices will generate 2,000,000 requests per second, and 10,000 nodes will generate 20,400,000 requests per second, that is, a 27 Gbps attack.
