A new BotenaGo malware variant that exclusively targets DVRs for security camera systems has been spotted in the wild by security researchers.
For those unfamiliar, BotenaGo is a relatively new piece of malware written in Google’s Golang open-source programming language. Originally used to target IoT devices to create botnets, BotenaGo’s source code leaked online in October last year.
Since then, cybercriminals have developed several new variants of the malware while improving the original by adding new exploits to target millions of connected devices.
However, Nozomi Networks Labs has discovered a new variant which appears to be derived from the leaked source code. However, the sample analyzed by the company’s security researchers exclusively targets Lilin security camera DVR devices, which is why it was dubbed “Lillin scanner”.
Variant Lillin BotenaGo
Another thing that distinguishes the Lillin scanner from the original BotenaGo malware is that the variant is currently undetected by all of VirusTotal’s antivirus engines.
According to a report by BeepComputer, this could be because the authors of the malware variant removed all exploits found in the original BotenaGo. Instead, they wrote the malware to focus only on Lilin DVRs by exploiting a two-year-old critical remote code execution vulnerability. Throwing a smaller net for potential targets makes sense in this case as there are still a significant number of unpatched Lilin DVR devices in the wild.
An additional key difference between BotenaGo and the Lillin scanner is that the new malware variant leverages an external mass scanning tool to create lists of IP addresses of vulnerable devices. Nozomi researchers also point to the fact in their blog post on the subject that the cybercriminals behind the Lillin scanner specifically programmed it to avoid infecting IP addresses belonging to the United States Department of Defense (DOD), Postal Service US (USPS), to General Electric, Hewlett Packard and other companies.
Once a vulnerable device is infected with the Lillin scanner, Mirai payloads are then downloaded and executed on it. However, this new variant of BotenaGo is not such a massive threat as it only targets devices from a specific manufacturer.