A new botnet called HinataBot has been discovered, which uses known vulnerabilities to take over routers and servers and launch distributed denial-of-service (DDoS) attacks.
The botnet appears to have been named after a character from the anime series Naruto.
It has been in operation since at least December 2022 and continues to evolve, with newer iterations being detected in Akamai’s honeypots as recently as March 2023.
The malware is designed to contact a command-and-control (C2) server to listen for incoming instructions and initiate attacks against a target IP address for a specified duration.
The HinataBot malware leverages vulnerabilities such as exposed Hadoop YARN servers, Realtek SDK devices, and Huawei HG532 routers to spread. Attackers are exploiting unpatched vulnerabilities and weak credentials to gain entry into the systems.
The threat actors behind the botnet first attempted to use a generic Go-based Mirai variant before switching to their own custom malware starting from January 11, 2023.
The latest iteration of HinataBot is limited to HTTP and UDP protocols, with earlier versions utilizing HTTP, UDP, TCP, and ICMP to carry out DDoS attacks. Akamai conducted 10-second attack tests using HTTP and UDP and revealed that the HTTP flood generated 3.4 MB of packet capture data and pushed 20,430 HTTP requests. The UDP flood created 6,733 packets for a total of 421 MB of packet capture data.
In a hypothetical real-world attack with 10,000 bots, a UDP flood would peak at more than 3.3 terabit per second (Tbps), resulting in a potent volumetric attack.
Microsoft recently revealed that TCP attacks emerged as the most frequent form of DDoS attack encountered in 2022, accounting for 63% of all attack traffic.
UDP floods and amplification attacks accounted for 22% of attack traffic, while packet anomaly attacks accounted for 15%. Besides being used as distractions to conceal extortion and data theft, DDoS attacks are also expected to rise due to the arrival of new malware strains that are capable of targeting IoT devices and taking over accounts to gain unauthorized access to resources.
