A new variant of the BotenaGo malware has been spotted that especially targets Lilin security camera DVR devices. The new variant is named Lilin Scanner based on the name used in the source code.
Lilin Scanner
The new variant is written in the Go language and has not been detected by any malware detection engine in VirusTotal.
- Its developer has removed almost all of the 30+ exploits that existed in BotenaGo’s original source code. This is probably the reason behind its stealthy behavior.
- The size of the payload is 2.8 MB and the actual malicious code is small and focuses on a single task.
- Further, the developers reused some parts to exploit a vulnerability more than two years old.
In October 2021, the source code of BotenaGo was leaked, leading to the creation of newer variants based on the original. Since then, researchers have observed various variants of BotenaGo.
A different flavor of BotenaGo
- It doesn’t check the banner for the given IPs. It is suspected that it is using other programs to create lists of Lilin devices using services such as Shodan or mass scanning tools.
- Subsequently, the new variant iterates over the IP address it receives from the standard input. This portion of the code can easily be spotted in the original BotenaGo source code.
- The instructions create one Goroutine (a kind of thread used in Go) per IP address running the infectFunctionLilinDvr function following the same naming convention used in BotenaGo.
Mirai connection
In one of the attack stages, various malicious samples try to execute on various architectures of Lilin devices, including x86, SPARC, Motorola 68000, MIPS, PowerPC, ARM, and SuperH. These samples are part of the Mirai malware family, which is infamous for targeting IoT devices.
Conclusion
Upgrading existing malware code and working on new projects to enhance attack capabilities have become a regular activity among cybercriminals. Regular monitoring of the evolution of these threats can help in developing robust detection strategies and defense mechanisms.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/508e_shutterstock_2001880100.jpeg)
/https://cyware-ent.s3.amazonaws.com/image_bank/debc_shutterstock_1935957436.jpeg)
