AT&T Alien Labs discovers new Golang malware (BotenaGo) with over 30 exploits that target millions of routers and IoT devices

2 mins read
AT&T Alien Labs discovers new Golang malware (BotenaGo) with over 30 exploits that target millions of routers and IoT devices

According to AT&T Alien Labs, malware written in the open-source programming language Golang could attack millions of routers and IoT devices.

BotenaGo is a malware that can attack a target with over 30 different exploit functionalities. It deploys a backdoor and waits for a target to be sent to it via port 19412 from a remote operator or from another related module running on the same machine. According to AT&T, the malware’s actor and the number of compromised devices are still unknown.

Golang, usually known as Go, is a Google-designed open-source programming language that was initially released in 2007 to make it easier for developers to create software. According to recent Intezer research, the Go programming language has risen in popularity among malware creators considerably in recent years. According to the site, there has been a 2000% boost in malware code written in Go that has been discovered in the wild.


The ease with which attackers may compile the same code for different platforms, making it easier for them to distribute malware across multiple operating systems, is one of the reasons for its increased popularity.

According to AT&T Alien Labs security researcher Ofer Caspi, BotenaGo currently has a low antivirus (AV) detection rate, with only 6/62 known AVs seen in VirusTotal.

Some anti-virus software recognizes these new malware types as Mirai malware because the payload connections are identical. However, there are differences between the Mirai malware and the new Go malware variants, including changes in programming languages and malware structures. Mirai is a botnet that communicates with its command and control (C&C). It also has several DDoS capabilities.


The malware strains uncovered by Alien Labs don’t have the same attack capabilities as Mirai malware, and they just hunt for weak systems to transmit the payload. Furthermore, Mirai employs an XOR table to store its strings and other data, as well as to decrypt them when necessary; this is not the case with the new Go malware. As a result, Alien Labs feels this danger is novel and has given it the moniker BotenaGo.

The BotenaGo malware begins by setting up global infection counters, which will be displayed on the screen and alert the hacker of the overall number of successful infections. It then looks in the dlrs folder for shell script files to load. The infection will stop and quit at this stage if the dlrs folder is missing.

The malware then launches a function that starts the malware attack surface by mapping all offensive functions to the relevant string that represents the targeted system. This is the final and most crucial preparation. Each function is associated with a string that represents a possible target system, such as a signature.


To deliver its exploit, the malware sends a simple GET request to the target. The delivered data from the GET request is then compared against each system signature that has been mapped to attack methods.

A search on Shodan yields around 250,000 devices that could be targeted by this function. The malware starts 33 exploit functions in total, all of which are ready to infect potential victims.

BotenaGo’s payload is remote shell commands that will be executed on devices where the vulnerability has been successfully exploited. The malware uses several links, each with a different payload, depending on the affected PC. Because the attackers had removed all of the payloads from the hosted servers at the time of analysis, Alien Labs was unable to evaluate any of them.


BotenaGo has no active connection with its C&C, which raises concerns about how it functions. Alien Labs has a few ideas on how the malware works and how it gets a target to attack.

Alien Labs advises companies to maintain their software up to date with security patches, limit internet access on Linux servers and IoT devices, and use a properly configured firewall. Network traffic, outbound port scans, and excessive bandwidth usage should all be monitored by users.

“Malware authors continue to create new techniques for writing malware and upgrading its capabilities,” said Caspi. “In this case, new malware writing in Golang – which Alien Labs has named BotenaGo – can run as a botnet on different OS platforms with small modifications.”

Leave a Reply