BotenaGo botnet targets millions of IoT devices using 33 exploits

Pierluigi Paganini November 12, 2021

Researchers at AT&T discovered a new BotenaGo botnet that is using thirty three exploits to target millions of routers and IoT devices.

BotenaGo is a new botnet discovered by researchers at AT&T that leverages thirty three exploits to target millions of routers and IoT devices.

Below is the list of exploits used by the bot:

Vulnerability Affected devices
CVE-2020-8515DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta,, and 1.4.4_Beta devices
CVE-2015-2051D-Link DIR-645 Wired/Wireless Router Rev. Ax with firmware 1.04b12 and earlier
CVE-2016-1555Netgear WN604 before 3.3.3 and WN802Tv2, WNAP210v2, WNAP320, WNDAP350, WNDAP360, and WNDAP660 before
CVE-2017-6077NETGEAR DGN2200 devices with firmware through
CVE-2016-6277NETGEAR R6250 before, R6400 before, R6700 before, R6900, R7000 before, R7100LG before, R7300DST before, R7900 before, R8000 before, D6220, D6400, D7000
CVE-2018-10561, CVE-2018-10562GPON home routers
CVE-2013-3307Linksys X3000 1.0.03 build 001
CVE-2020-9377D-Link DIR-610
CVE-2016-11021D-Link DCS-930L devices before 2.12
CVE-2018-10088XiongMai uc-httpd 1.0.0
CVE-2020-10173Comtrend VR-3033 DE11-416SSG-C01_R02.A2pvI042j1.d26m
CVE-2013-5223D-Link DSL-2760U Gateway
CVE-2020-8958Guangzhou 1GE ONU V2801RW 1.9.1-181203 through 2.9.0-181024 and V2804RGW 1.9.1-181203 through 2.9.0-181024
CVE-2019-19824TOTOLINK Realtek SDK based routers, this affects A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, and N100RE through 3.4.0.
CVE-2020-10987Tenda AC15 AC1900 version
CVE-2020-9054Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.2, Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2
CVE-2017-18368ZyXEL P660HN-T1A v1 TCLinux Fw $ v001 / 3.40(ULM.0)b31 router distributed by TrueOnline
CVE-2014-2321ZTE F460 and F660 cable modems
CVE-2017-6334 NETGEAR DGN2200 devices with firmware through

BotenaGo was written in Golang (Go) and at the time of the report published by the experts, it had a low antivirus (AV) detection rate (6/62).

“To deliver its exploit, the malware first queries the target with a simple “GET” request. It then searches the returned data from the “GET” request with each system signature that was mapped to attack functions.” reads the analysis published by AT&T.

“The string “Server: Boa/0.93.15” is mapped to the function “main_infectFunctionGponFiber,” which attempts to exploit a vulnerable target, allowing the attacker to execute an OS command via a specific web request (CVE-2020-8958).”

The botnet targets millions of devices with functions that exploit the above flaws, for example querying Shodan for the string Boa, which is a discontinued open-source web server used in embedded applications, it returns nearly two million devices.

Once installed, the bot malware will listen on the ports 31412 and 19412, the latter is used to receive the victim IP.


Once a connection with information to that port is received, it will loop through mapped exploit functions and execute them with the given IP.

The BotenaGo will execute remote shell commands on compromised devices, depending on the infected system, the bot uses different links associated with different payloads. Alien Labs could not analyze any of payloads because they were no more available on the hosting server.

The researchers didn’t find an active C2 communication between BotenaGo and C2 server, these are possible scenarios hypothesized by the experts:

  1. The malware is part of a “malware suite” and BotenaGo is only one module of infection in an attack. In this case, there should be another module either operating BotenaGo (by sending targets) or just updating the C&C with a new victim’s IP.
  2. The links used for the  payload on a successful attack imply a connection with Mirai malware. It could be the BotenaGo is a new tool used by Mirai operators on specific machines that are known to them, with the attacker(s) operating the infected end-point with targets.
  3. This malware is still in beta phase and has been accidently leaked.

Researchers provided the indicators of compromise associated with these attacks, they speculate the malware could be enhanced integrating new exploits.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, BotenaGo)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment