The new HinataBot botnet could launch massive DDoS attacks

Researchers have discovered a new DDoS botnet capable of launching attacks with data volumes reaching several Tbps.

Akamai said the malware itself was christened “Hinata” by its author after a character from the Naruto anime series. The security vendor found evidence of the “HinataBot” in its HTTP and SSH honeypots and said it is being actively updated by its authors.

While previous versions launched DDoS flooding attacks over multiple protocols, the newest HinataBot iteration uses just HTTP and UDP flooding techniques

HinataBot Botnet

Malware is spread by hacking SSH endpoints or via malicious scripts and RCE payloads for known weaknesses.

Once the malware has infiltrated a device, it will lie dormant until it receives instructions from the command and control server.

Akamai’s security experts they created a C2 of their own and interacted with artificial infections to set up HinataBot for DDoS attacks, allowing them to observe the malware in action and deduce its attack capabilities.

The size of HTTP packets usually varies and ranges from 484 to 589 bytes. In contrast, the UDP packets produced by HinataBot are incredibly large – up to 65.549 bytes! These data-filled packets consist of zero bytes that can quickly overwhelm the target with a powerful flood of traffic.

“If the botnet contained just 1000 nodes, the resulting UDP flood would weigh in at around 336 Gbps per second. With 10,000 nodes (roughly 6.9% of the size of Mirai at its peak), the UDP flood would weigh in at more than 3.3 Tbps. The HTTP flood at 1000 nodes would generate roughly 2.7 Gbps and more than 2 Mrps. With 10,000 nodes, those numbers jump to 27 Gbps delivering 20.4 Mrps.”

IOCs

IPs

• 77.73.131.247
• 156.236.16.237
• 185.112.83.254

Ports

• 61420
• 4120

CVEs

• CVE-2017-17215
• CVE-2014-8361

File Names

• tftp.sh
• wget.sh
• hinata-linux.amd64
• hinata-windows-arm5
• hinata-plan9-arm5
• hinata-openbsd-arm5
• hinata-netbsd-arm5
• hinata-linux-arm5
• hinata-freebsd-arm5
• hinata-windows-arm7
• hinata-windows-arm64.exe

Recent hashes

• 01422e34b2114c68cdb6ce685cd2e5673bbe5652259a0c4b862d5de2824a9375
• 1b958fd718f1419700c53fed10807e873e8399c354877b0a3dfceac7a8581456
• 8a84dc2a9a06b1fae0dd16765509f88f6f54559c36d4353fd040d02d4563f703
• 4aba67fdd694219ff0dff07ebd444ed154edacc00c3a61f9b661eabe811a0446
• 71154ad6bd1a8a79fc674c793bb82b8e7d1371eca0f909c6e4a98ef8e7f5d1da
• c6a7e25290677cc7b9331343166b140f2c320764a815b241747e6913b1a386d9
• 92adfbe6aae06d7c99469aeb6551db8eee964b589f2b8774e29d987cfbd0e0d6
• 8eda08ce362c09b5f45772467f94d5370068c1798f78c5316f15647ac898c621
• ff7638c0c893c021c3a059a21a71600249881afd84dc0d751d99db1c8edd3cac
• a3fac6fea9201c3c3eaae47bd95e0be93e91298e48df75540958834f9e75ac4d
• 9875bb9dd6d159a3b327de80e151ef7f3831c0d6833ae781490d68e426b73680
• 6ec35ef48ffdf9a92aa8845c336b327c280e1f20d7130ba0856540aed3233bbc
• C0aa34dd8dbf654d5230d4ef1db61f9befc89a0ea16cb7757edbf8a8090c9146
• 5643bf01e113de246575a9ec39ea12a85f9babb6ac069132ad8d1a7bfa56ed1b
• 845134ee7335f07b23e081f024cad5cbfc9ef453d6e2adc7970d6543292e5bcc
• 995681f388f5e0a405c282ae9ce22dc41f2249f0f5208254e1eec6e302d7ad7d