malware-attack

Analysis

A recent Go-based botnet called HinataBot specializes in initiating DDoS assaults. It preys on Linux-based servers with lax security and makes use of known software flaws.

Infecting Linux-based servers with the malware known as Hinata results in the development of a botnet—a network of infected computers that may be remotely managed to engage in harmful activity. Cybercriminals utilize the Hinata botnet to conduct DDoS attacks, mine bitcoins and take private information from the compromised servers.

Prevention

Use strong passwords, enable multi-factor authentication, update all software commonly, install anti-malware software, keep an eye on network traffic and system logs, disable unutilized services and ports, and use intrusion detection and prevention systems to avoid becoming infected with the Hinata bot.

Detection

You can use the following methods to find the Hinata bot on a Linux-based server: 

  • Watch system logs 
  • Employ a malware scanner 
  • Conduct vulnerability scanning 
  • Look for odd processes or files

Indicators of Compromise (IOCs)

Some indications of compromise (IOCs) related to the Hinata bot are listed below:

Ports: 61420, 4120

IPs: 77.73.131.247, 156.236.16.237, 185.112.83.254, etc.

File names include: wget.sh, tftp.sh, and hinata-linux.amd64

There are many other file names that may be discussed, such as hinata-windows-arm5, hinata-plan9-arm5, hinata-openbsd-arm5, hinata-netbsd-arm5, and hinata-linux-arm5.

It's crucial to remember that this list of IOCs is not exhaustive, and as the threat changes, new ones might appear. Every organization should keep an eye out for any suspicious activity or Hinata bot infection signs, and if any are found, act accordingly.

Remediation

To remediate the Hinata bot infection

  • Disconnect the infected system from the network
  • Remove the malware files, change all login credentials
  • Then apply software updates and patches, scan the system for malware
  • Review the system and network logs
  • Finally, implement additional security measures.

Reference

Akamai- Uncovering Hinatabot: A Deep Dive into a Go-Based Threat 

The Hacker News- New GoLang-Based HinataBot Exploiting Router and Server Flaws for DDoS Attacks 

 

Get in touch

Send us a Message

Looking for general information or have a specific question. Fill the form below or drop
us a line at susan@positka.com.

Enquiry Now