Malware, Endpoint/Device Security, Vulnerability Management

Go-based HinataBot latest botnet to focus on DDoS attacks

Naruto action figure

A new Go-based malware is the latest botnet focused on distributed-denial-of-service (DDoS) attacks.

The malware apparently is named "Hinata" by the malware author after a character from the popular anime series Naruto.

In a blog post Thursday, Akamai researchers dubbed the new botnet "HinataBot." The researchers said the threat actors behind HinataBot have been active since at least December 2022, but only began developing their own malware in mid-January 2023.

A sample of the malware was discovered in HTTP and SSH honeypots abusing weak credentials and old remote code execution vulnerabilities — one dating back almost a decade. The Akamai researchers said the infection attempts they observed include the exploitation of the minigd SOAP service on Realtek SDK devices (CVE-2014-8361), Huawei HG532 routers (CVE-2017-17215), and exposed Hadoop YARN servers (CVE N/A).

When asked where the attacks were targeted, Allen West, a security researcher at Akamai, said they haven't been able to observe attacks outside of launching them at themselves so far.

“Once the C2 is back up we will get a clearer picture of this,” said West. “As far as machines targeted for infection, we can only point to the technologies containing the vulnerabilities we saw them exploiting."

Once again we see that so much is on the internet, mainly because people deploy services and forget about managing the infrastructure, said John Bambenek, principal threat hunter at Netenrich. In this case, we saw the exploitation of a vulnerability that was nearly 10-years-old, said Bambenek.

“Attackers continue to find these resources and then use them to further attacks on other organizations,” said Bambenek. “A new DDoS botnet simply means more resources used by criminals to attempt to knock services offline. So, using DDoS protection services remains important because it’s only a growing attack particularly in a period of geopolitical and economic turmoil.”

Mike Parkin, senior technical engineer at Vulcan Cyber, added that malware authors doing more work in the Go language is a case of them "picking the right tool for the job.” 

"Go has become best known for its ability to cross-compile for different architectures and its ease of use, which makes it attractive to threat actors," said Parkin. "Regardless of what language malware is written in, threat actors still have to land their payload. The selected language may give an attacker some more options, but properly configured and maintained defenses will still reduce an organization's threat surface.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.