Analysis
A recent Go-based botnet called HinataBot specializes in initiating DDoS assaults. It preys on Linux-based servers with lax security and makes use of known software flaws.
Infecting Linux-based servers with the malware known as Hinata results in the development of a botnet—a network of infected computers that may be remotely managed to engage in harmful activity. Cybercriminals utilize the Hinata botnet to conduct DDoS attacks, mine bitcoins and take private information from the compromised servers.
Prevention
Use strong passwords, enable multi-factor authentication, update all software commonly, install anti-malware software, keep an eye on network traffic and system logs, disable unutilized services and ports, and use intrusion detection and prevention systems to avoid becoming infected with the Hinata bot.
Detection
You can use the following methods to find the Hinata bot on a Linux-based server:
- Watch system logs
- Employ a malware scanner
- Conduct vulnerability scanning
- Look for odd processes or files
Indicators of Compromise (IOCs)
Some indications of compromise (IOCs) related to the Hinata bot are listed below:
Ports: 61420, 4120
IPs: 77.73.131.247, 156.236.16.237, 185.112.83.254, etc.
File names include: wget.sh, tftp.sh, and hinata-linux.amd64
There are many other file names that may be discussed, such as hinata-windows-arm5, hinata-plan9-arm5, hinata-openbsd-arm5, hinata-netbsd-arm5, and hinata-linux-arm5.
It's crucial to remember that this list of IOCs is not exhaustive, and as the threat changes, new ones might appear. Every organization should keep an eye out for any suspicious activity or Hinata bot infection signs, and if any are found, act accordingly.
Remediation
To remediate the Hinata bot infection
- Disconnect the infected system from the network
- Remove the malware files, change all login credentials
- Then apply software updates and patches, scan the system for malware
- Review the system and network logs
- Finally, implement additional security measures.
Reference
Akamai- Uncovering Hinatabot: A Deep Dive into a Go-Based Threat
The Hacker News- New GoLang-Based HinataBot Exploiting Router and Server Flaws for DDoS Attacks