New variant of BotenaGo malware targets security camera DVR devices

A relatively new stealth variant of the BotenaGo malware has been spotted by threat analysts recently. Botnet-type malware was considered the most invisible so far, running on machines unnoticed by antivirus programs.

Since its emergence, with the source code publicly available in October 2021, several variants have been seen, while the original version of the malware, written in Golang, an open-source programming language by Google, has continued to be active, adding exploits to target devices. IoT.

BotenaGo source code. Image: Nozomi

According to researchers at Nozomi Networks Labs, who discovered the latest version of BotenaGo, the malware specifically targets Lillin security camera DVR devices. The researchers named the sample “Lillin Scanner” after the name used by the developers in the source code: /root/lillin.go.

The new version of malware

According to the researchers who submitted the sample to the VirusTotal scan, the most notable feature of the threat is that it goes undetected by antivirus engines.

New variant of BotenaGo malware targets security camera DVR devices

File was not detected as a threat. Image: Nozomi

One of the reasons for the stealth character is given by the removal of all exploits present in the original version, with authors focusing on targeting only Lillin DVRs using a critical two-year remote code execution flaw.

The same exploit was noticed in the Fodcha malware, another recently discovered botnet that launches DDoS — Distributed Denial of Service attacks, which has seen massive growth.

Target exclusivity can be linked to a substantial number of unpatched Lillin DVR devices.

Lillin Scanner opens doors for Mirai

Another particularity of the variant that differs from the original version of BotenaGo is the requirement for an external scanning tool to build a list of IP addresses of exploitable devices.

Which allows Lillin Scanner to infect all valid and accessible IPs in the list by clear text strings, getting a hard-coded list with 11 credentials typically configured on poorly secured endpoints. Both the Lillin-specific “root/icatch99” and “report/8Jg0SR8K50” are on this list.

New variant of BotenaGo malware targets security camera DVR devices

Authentication attempt. Image: Nozomi

If there is a match, actors can execute arbitrary code remotely on the target. The exploit consists of a POST request with malicious code, submitted to dvr/cmd, in order to modify the camera’s NTP configuration.

If successful, the new configuration will execute a wget command to download a file ( from the address 136.144.41[.]169, running it afterwards. On failure, the malware tries to inject the command into cn/cmd instead.

New variant of BotenaGo malware targets security camera DVR devices

POST request with wget command. Image: Nozomi

The file is responsible for downloading the compiled Mirai payload for various architectures and running it on the compromised device. In March 2022, some of these loads were identified, indicating that the testing period is still quite recent.

Nozomi reports that Mirai features some IP ranges to prevent infection of certain targets such as the US Department of Defense (DoD), US Postal Service (USPS), General Electric (GE), Hewlett-Packard (HP) , and others.

New variant of BotenaGo malware targets security camera DVR devices

IP range exclusions in Mirai. Image: Nozomi

While Mirai takes control of a wider list of exploits and devices, in this particular campaign, the exploit serves as a gateway to a larger wave of infection.

Some features of Lillin Scanner as a very specific target does not place it as a massive threat, even though Mirai’s second stage has more powerful potential.

The way of propagation is another point that reinforces this argument, since scanning and infection functions are operated manually, at least at this first moment.

Despite these specifics, the botnet variant design proves two things: how easy it is to build completely stealthy threats from known and documented code, and how you can take advantage of leaked malware source code to build your own operations.

Via BleepingComputer

Related Articles

Leave a Reply

Your email address will not be published.