Security researchers have detected a new variant of BotenaGo malware that exclusively targets DVR for security camera systems.
For those unfamiliar, BotenaGo is a relatively new piece of malware written in Google's open source Golang programming language. Originally used to target IoT devices to create botnets, the source code for BotenaGo was leaked online in October last year.
Since then, cybercriminals have developed several new variants of the malware while improving the original by adding new exploits to attack millions of connected devices.
However, Nozomi Networks Labs has discovered a new variant that appears to be derived from the leaked source code. However, the sample analyzed by the company's security researchers exclusively targets Lilin's security camera DVR devices, which is why it was dubbed "Lillin's scanner."
Variant Lillin BotenaGo
Another thing that distinguishes the Lillin scanner from the original BotenaGo malware is that the variant is currently not detected by any of VirusTotal's antivirus engines.
According to a report from BleepingComputer, this could be because the authors of the malware variant removed all the exploits found in the original BotenaGo. Instead, they wrote the malware to target only Lilin DVRs by exploiting a two-year-old critical remote code execution vulnerability. Casting a smaller network for potential targets makes sense in this case, as there are still a significant number of unpatched Lilin DVR devices out in the wild.
An additional key difference between BotenaGo and the Lillin scanner is that the new malware variant leverages an external bulk scanning tool to create lists of IP addresses of vulnerable devices. Nozomi researchers also point out the fact in their blog post that the cybercriminals behind the Lillin scanner programmed it specifically to avoid infecting IP addresses belonging to the United States Department of Defense (DOD), the United States Postal Service USA (USPS), to General Electric. , Hewlett Packard and other companies.
Once a vulnerable device is infected with the Lillin scanner, Mirai payloads are downloaded and executed on it. However, this new variant of BotenaGo is not such a big threat as it only targets devices from a specific manufacturer.
Via BleepingComputer