virus logo Virus

Linux/Hinata.REAL!tr

description-logoAnalysis

Linux/Hinata.REAL!tr is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as Linux/Hinata.REAL!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:

  • This malware is associated with the Realtek SDK outbreak and involves the CVE-2014-8361 vulnerability. The vulnerability is found in the miniigd SOAP service in Realtek SDK which allows arbitrary remote code execution by remote attackers.

  • Linux/Hinata.REAL!tr is a DDos botnet written in Go. It will attempt to gain access to a victim's system and wait for commands from the control server. The malware may perform malicious actions such as a distributed denial-of-service(DDoS) attacks.

  • The botnet will attempt to connect to the following IP:
    • 77.73[removed]247

  • This malware has been associated with the following third party article/advisory. 
    • https://nvd.nist.gov/vuln/detail/CVE-2014-8361
https://www.cvedetails.com/cve/CVE-2014-8361/

  • Below are some of the malware's capabilities:

    • Figure 1: Image showing API connection attack string found in the malware sample.


    • Figure 2: Attempting to connect to command and control server.


    • Figure 3: Attempting flood attack.


  • Following are some of the exact IOCs/file hashes associated with this detection:
    • Md5: 67fd38f84b11770cdd58040bd5686eb9
      Sha256: 71067d5ae6fbede66cd1dd1f37fb191ee660b3363e3101dbdccb99284e03f660
    • Md5: 171a6110335ad03e25485e7a821e458e
      Sha256: a2f8dd1b6c39d11e80c0c8abea03aef7481e681ea0e04b97ca3306b423ff3da4
    • Md5: ba2470126f4aa552d5bade243e60a15b
      Sha256: f4b447d2f5cccde35d60edaedd97d089c9f1dc4630ffcd60317e9a0e2054a23b
    • Md5: c2c5ffaa6e343394dd9431c62c917611
      Sha256: 5643bf01e113de246575a9ec39ea12a85f9babb6ac069132ad8d1a7bfa56ed1b
    • Md5: f6c73344f9d3632f4066cf9d837e2c98
      Sha256: 4fe979cd35444a38398cd1595e804f01d70a7c0049b9ddebf345b4d26fe4c877

description-logoOutbreak Alert

FortiGuard Labs continue to see Realtek SDK vulnerabilities being exploited in the wild with over 10,000+ average IPS detections per month to deploy and distribute Denial-of-service botnet malware such as new Hinata Botnet, RedGoBot, GooberBot and Marai based Botnet.

View the full Outbreak Alert Report

recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
FortiClient
FortiAPS
FortiAPU
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2023-05-08 91.03076
2023-04-24 91.02671
2023-03-21 91.01630
2023-03-21 91.01627
2023-03-20 91.01606
2023-03-20 91.01604
ID 10130046
Released Mar 20, 2023
Description
Updated		 Mar 20, 2023
Outbreak Alert Realtek SDK Attack
Aliases Linux/Flooder.Agent.GY trojan,Multi:Flooder-B [Trj]