A new variant of the BotenaGo malware (opens in new tab) that exclusively targets DVR for security camera (opens in new tab) systems has been spotted in the wild by security researchers.
For those unfamiliar, BotenaGo (opens in new tab) is a relatively new malware written in Google’s open source Golang (opens in new tab) programming language. While it was originally used to target IoT (opens in new tab) devices in an effort to create botnets, BotenaGo’s source code was leaked online back in October of last year.
In the time since, cybercriminals have developed several new variants of the malware while also improving the original by adding new exploits to target millions of connected devices.
Now though, Nozomi Networks Labs (opens in new tab) has discovered a new variant that appears to be derived from the leaked source code. However, the sample analyzed by the firm’s security researchers exclusively targets Lilin security camera DVR devices which is why it has been dubbed “Lillin scanner”.
Lillin BotenaGo variant
Another thing that sets Lillin scanner apart from the original BotenaGo malware is that the variant is currently undetected by every antivirus (opens in new tab) engine on VirusTotal.
According to a report (opens in new tab) from BleepingComputer, this could be because the malware variant’s authors have removed all of the exploits found in the original BotenaGo. Instead, they’ve written the malware to only focus on Lilin DVRs by exploiting a two-year-old critical remote code execution vulnerability. Casting a smaller net for potential targets makes sense in this case as there are still a significant number of unpatched Lilin DVR devices in the wild.
> That Android antivirus could actually be malware (opens in new tab)
> Raspberry Pi can now detect malware without any software
(opens in new tab)
> This Borat-themed malware is not funny in the slightest (opens in new tab)
An additional key difference between BotenaGo and Lillin scanner is that the new malware variant leverages an external mass-scanning tool to create lists of the IP addresses (opens in new tab) of vulnerable devices. Nozomi’s researchers also highlight the fact in their blog post (opens in new tab) on the matter that the cybercriminals behind Lillin scanner have specifically programmed it to avoid infecting IP addresses that belong to the US Department of Defense (DOD), the US Postal Service (USPS), General Electric, Hewlett Packard and other businesses.
Once a vulnerable device is infected by Lillin scanner, Mirai (opens in new tab) payloads are then downloaded and executed on it. Still though, this new BotenaGo variant isn’t such a massive threat as it only targets devices from a specific manufacturer.
- Protect all of the devices on your network with one of the best firewalls (opens in new tab)
Via BleepingComputer (opens in new tab)