BotenaGo malware

Original Issue Date:-November 18, 2021
Virus Type:-Backdoor/Malware botnet

It has been reported that a newly surfaced malware written in Google’s open-source programming language Golang, is targeting Linux-embedded routers and Internet of Things (IoT) devices through botnets. The malware is utilizing 33 different exploits to compromise routers and IoT devices. It works by creating a backdoor to the device and then waits to either receive a target to attack from a remote operator through port 19412 or from another related module running on the same machine.

Infection Mechanism:

The new Golang-based malware botnet incorporates more than 30 exploits for a variety of routers, modems, and Network-attached Storage (NAS) devices. As listed by Alien Labs, the vulnerabilities with CVE numbers, which can be exploited by new BotenaGo malware are listed below. In addition, some of the vulnerabilities have also been disclosed without CVE.

CVE-2020-8515DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta,, and 1.4.4_Beta devices
CVE-2015-2051D-Link DIR-645 Wired/Wireless Router Rev. Ax with firmware 1.04b12 and earlier
CVE-2016-1555Netgear WN604 before 3.3.3 and WN802Tv2, WNAP210v2, WNAP320, WNDAP350, WNDAP360, and WNDAP660 before
CVE-2017-6077NETGEAR DGN2200 devices with firmware through
CVE-2016-6277NETGEAR R6250 before, R6400 before, R6700 before, R6900, R7000 before, R7100LG before, R7300DST before, R7900 before, R8000 before, D6220, D6400, D7000
CVE-2018-10561, CVE-2018-10562 GPON home routers
CVE-2013-3307Linksys X3000 1.0.03 build 001
CVE-2020-9377D-Link DIR-610
CVE-2016-11021D-Link DCS-930L devices before 2.12
CVE-2018-10088XiongMai uc-httpd 1.0.0
CVE-2020-10173Comtrend VR-3033 DE11-416SSG-C01_R02.A2pvI042j1.d26m
CVE-2013-5223D-Link DSL-2760U Gateway
CVE-2020-8958Guangzhou 1GE ONU V2801RW 1.9.1-181203 through 2.9.0-181024 and V2804RGW 1.9.1-181203 through 2.9.0-181024
CVE-2019-19824TOTOLINK Realtek SDK based routers, this affects A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, and N100RE through 3.4.0.
CVE-2020-10987Tenda AC15 AC1900 version
CVE-2020-9054Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.2, Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2
CVE-2017-18368ZyXEL P660HN-T1A v1 TCLinux Fw $ v001 / 3.40(ULM.0)b31 router distributed by TrueOnline
CVE-2014-2321ZTE F460 and F660 cable modems
CVE-2017-6334NETGEAR DGN2200 devices with firmware through

The malware botnet deploys a backdoor on the compromised device, and then waits for commands – either from a remote operator or a malicious module on the device – to initiate an attack. As part of a typical BotenaGo attack, the malware first maps potential targets to attack functions, then queries the target with a GET request, after which it searches the returned data, and only then it attempts to exploit the vulnerable target.

On a compromised device, the malware creates two backdoor ports: 31412 and 19412, and starts listening on port 19412 to receive the victim’s IP. Then, it loops through mapped exploit functions to execute them with the supplied IP. Once BotenaGo gains access, it will execute remote shell commands to recruit the device into the botnet. Depending on which device is targeted, the malware uses different links to fetch a matching payload.

Indicators of Compromise


  • SHA256- 0c395715bfeb8f89959be721cd2f614d2edb260614d5a21e90cc4c142f5d83ad

Best practices and remedial measures:

  • It is recommended to keep the software up to date with latest security updates.
  • Install the latest firmware and use a properly configured firewall.
  • Ensure minimal exposure to the Internet on Linux servers and IoT devices.
  • Monitor network traffic, outbound port scans, and unreasonable bandwidth usage.
  • It is advised to carry out timely patching of internet-connected devices to avoid becoming a victim of BotenaGo or any other IoT botnets.

Additional measures for securing IOT devices:

  • Restrict Web Management Interface access of IoT devices to authorized users only and change default username/passwords
  • Always change Default login credentials before deployment in production.
  • Change default credentials at device startup and ensure that passwords meet the minimum complexity.
  • Disable Universal Plug and Play (UPnP) on IoT devices unless absolutely required.
  • Users should be aware of the installed devices and their capabilities. If a device comes with a default password or an open Wi-Fi connection, users should change the password and only allow it to operate on a home network with a secured Wi-Fi router.
  • Control access to the devices with Access List
  • Configure devices to "lock" or log out and require a user to re-authenticate if left unattended
  • Identify systems with default passwords and implement abovementioned measures. Some the systems that need to examined are Routers, switches, web applications and administrative web interfaces, ICS systems, Telnet and SSH interfaces
  • Implement account lockout policies to reduce the risk of brute forcing attacks.
  • Telnet and SSH should be disabled on device if there is no requirement of remote management
  • Configure VPN and SSH to access device if remote access is required.
  • Configure certificate based authentication for telnet client for remote management of devices
  • Implement Egress and Ingress filtering at router level.
  • Report suspicious entries in Routers to your Internet Service Provider
  • Keep up to date Antivirus on the computer system
  • Keep up-to-date on patches and fixes on the IoT devices, operating system and applications.
  • Unnecessary port and services should be stopped and closed.
  • Logging must be enabled on the device to log all the activities.
  • Enable and monitor perimeter device logs to detect scan attempts towards critical devices/systems.

References for CVE: