
A new Golang-based botnet dubbed HinataBot has been observed to leverage known flaws to compromise routers and servers and use them to stage distributed denial-of-service (DDoS) attacks. "The malware binaries appear to have been named by the malware author after a character from the popular anime series, Naruto, with file name structures such as 'Hinata-<OS>-<Architecture>,'" Akamai said in a technical report. Among the methods used to distribute the malware are the exploitation of exposed Hadoop YARN servers and security flaws in Realtek SDK devices (CVE-2014-8361), Huawei HG532 routers (CVE-2017-17215, CVSS score: 8.8). Unpatched vulnerabilities and weak credentials have been a low-hanging fruit for attackers, representing an easy, well-documented entry point that does not require sophisticated social engineering tactics or other methods. The threat actors behind HinataBot are said to have been active since at least December 2022, with the attacks first attempting to use a generic Go-based Mirai variant before switching to their own custom malware starting from January 11, 2023. Since then, newer artifacts have been detected in Akamai's HTTP and SSH honeypots as recently as this month, packing in more modular functionality and added security measures to resist analysis. This indicates that HinataBot is still in active development and evolving. HinataBot is a new Golang-based botnet that has been observed to use known flaws to compromise routers and servers in order to stage DDoS attacks. The malware binaries used by HinataBot appear to have been named after a character from the popular anime series, Naruto, by the malware's author, with file name structures such as 'Hinata-<OS>-<Architecture>,' as noted in a technical report by Akamai. HinataBot has been distributed by exploiting exposed Hadoop YARN servers and security flaws in Realtek SDK devices (CVE-2014-8361), as well as Huawei HG532 routers (CVE-2017-17215, CVSS score: 8.8). Unpatched vulnerabilities and weak credentials have been a low-hanging fruit for attackers, representing an easy, well-documented entry point that does not require sophisticated social engineering tactics or other methods. The threat actors behind HinataBot have been active since at least December 2022 and were first observed attempting to use a generic Go-based Mirai variant before switching to their own custom malware starting from January 11, 2023. Since then, newer artifacts have been detected in Akamai's HTTP and SSH honeypots as recently as this month, packing in more modular functionality and added security measures to resist analysis. This indicates that HinataBot is still in active development and evolving.