Tuesday, November 12, 2024
HomeBotnetHinataBot - A New Botnet Could Launch Massive 3.3 Tbps DDoS Attacks

HinataBot – A New Botnet Could Launch Massive 3.3 Tbps DDoS Attacks

Published on

Malware protection

The security analysts at Akamai recently identified a new botnet called HinataBot, based on Golang. Apart from this, HinataBot has been observed exploiting the already-known security flaws in routers and servers to gain unauthorized access to launch DDoS attacks.

At the beginning of the year, researchers uncovered this new botnet that had been operating for quite some time. While it has been discovered that HinataBot targets the following routers and servers:-

  • Realtek SDK devices
  • Huawei HG532 routers
  • Hadoop YARN servers

Exploiting Known Flaws

- Advertisement - SIEM as a Service

In the malware binaries, a character from the popular anime series Naruto appears to have been given a name by the malware author.

Akamai’s SIRT found HinataBot within HTTP and SSH honeypots exploiting the old known vulnerabilities, and here below we have mentioned them:-

  • CVE-2014-8361
  • CVE-2017-17215

Distribution

As early as mid-January 2023, Mirai binaries were distributed by HinataBot’s operators, which was the first time it appeared.

The HinataBot Botnet underwent active development with the addition of several improvements and new features as recently as March 2023. While the cybersecurity researchers confirmed this at Akamai during the analysis of active campaigns, they caught multiple samples of the botnet.

Several attacks have taken place due to unpatched vulnerabilities and weak credentials, representing an easy entry point for the threat actors without using sophisticated tactics.

Since December 2022, the HinataBot botnet has been active. As of January 11, 2023, they began using their own custom malware to conduct the attacks, following the use of a generic Go-based Mirai variant as the initial attack.

The experts have not yet observed a real-life attack since the C2 is currently down. The trackers are not yet connected. However, the process of doing so is currently underway.

The primary goal of the researchers is to be able to observe closely if they become active again in the future.

Massive DDoS Capability

A number of particularly notable functions came to light during the analysis. Three distinct attack functions immediately caught their attention, and here they are mentioned below:-

  • sym.main.startAttack
  • sym.main.http_flood
  • sym.main.udp_flood
HinataBot

Infection scripts and RCE payloads for known vulnerabilities are used in order to distribute malware through brute-force attacks on SSH endpoints.

Once a device is infected, the malware quietly runs, waiting for command and control server instructions to be executed. 

In order to observe HinataBot in action and infer the malware’s attack capabilities, Akamai’s analysts designed their own C2 and interacted with simulated infections.

Here below, we have mentioned the floods that are supported by older versions of HinataBot:-

While in the case of the new version of HinataBot, only HTTP and UDP floods are supported. But, the botnet can perform very powerful DDoS attacks even with just two attack modes.

Considering that there can be 10,000 bots in an attack, a UDP flood may peak over 3.3 Tbps, making it a powerful attack. There is a difference between the HTTP attack command and the UDP attack command. 

In both cases, 512 workers are created for a worker pool and assigned a fixed duration for a defined period to send data packets to all predefined targets.

There is a range of 484 to 589 bytes in the size of an HTTP packet. Many null bytes are included in the UDP packets generated by HinataBot, which can overwhelm the target with a significant amount of traffic.

HinataBot

The two methods utilize different approaches to achieve the same result; HTTP floods generate heavy traffic to the website, whereas UDP floods send garbage to the target.

It generated 20,430 requests for a total of 3.4MB for the HTTP attack; Akamai benchmarked the botnet in 10-second attacks for HTTP and UDP. The UDP flood generated 421 MB of data, about 6,733 packages.

There is still room for improvement in HinataBot Botnet, and it is likely to implement additional exploits and expand its targeting capabilities at any time.

Building Your Malware Defense Strategy – Download Free E-Book

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting...