New BotenaGo malware variant targets vulnerabilities in Lilin security camera DVR devices, Nozomi detects

Nozomi Networks has discovered a new variant of the BotenaGo malware that specifically targets Lilin security camera DVR devices, exposing millions of IoT devices deployed across numerous operating environments. The sample has been named ‘Lillin scanner’ after the name the developers used for it in the source code. The scanner sends particularly crafted HTTP POST requests to the URL paths to exploit a command injection vulnerability in the web interface. 

“The source code of the BotenaGo malware was leaked in October 2021, which led to the creation of new variants based on the original,” Nozomi Networks Labs researchers wrote in a blog post. “We decided to monitor samples that could have been generated utilizing parts of the BotenaGo source code. In doing so, we discovered a sample that contained certain similarities of BotenaGo,” they added.

It is unclear which hacker is behind the BotenaGo malware and number of infected devices, but may be connected to the Mirai malware, Nozomi said. 

AT&T Alien Labs said in November that the BotenaGo malware has been deployed with over 30 exploit functions, putting millions of IoT devices at risk of exploits and breaches. BotenaGo is written in Golang, also known as Go, an open-source programming language designed by Google and initially in 2007 that makes it easier for developers to build software. While the use of open-source programming languages has its benefits, attackers have equally taken advantage, using Go to code malicious malware.

At the time of the research, the sample had not been detected by any malware detection engine in VirusTotal, Nozomi identified. “Although the sample is quite large (2.8 MB), due to being written in Go, the portion of the actual malicious code is quite small and focuses on a single task. Its authors removed almost all of over 30 exploits present in BotenaGo’s original source code and reused some parts to exploit a different vulnerability that was over two years old. This may be why the sample hasn’t been detected until now,” it added.

To run, the scanner/exploiter needs a parameter to be passed in the command line, the researchers said. “That will be the port being used to connect to each of the IP addresses that the program targets. Lillin scanner differs from BotenaGo in that it doesn’t check the banner for the given IPs. It is possible that this tool is chained with another program that builds lists of Lilin devices using services like Shodan or other mass scanning tools,” they added.

Subsequently, the sample will iterate over the IP addresses that it receives from the standard input, the San Francisco, California-based company disclosed. “This portion of the code can easily be spotted in the original BotenaGo source code. These instructions will create one Goroutine (a sort of thread used in Go) per IP address executing the infectFunctionLilinDvr function, which follows the same naming convention as in BotenaGo,” it added.

Moving over to device access and vulnerability exploitation, Nozomi said that when the infectFunctionLilinDvr function receives the IP address to scan, it first checks if the device behind that IP can be accessed. “The Lillin scanner contains 11 pairs of user-password credentials in its code. This is a difference from previous malware samples that, reportedly, abused only the credentials root/icatch99 and report/8Jg0SR8K50. These credentials are Base64-encoded to be used in the basic authentication needed to exploit the vulnerability that allows the Remote Code Execution (RCE),” it added.

In the third stage of the attack, multiple malicious samples for each architecture attempt to execute on the camera, Nozomi said. These samples belong to the Mirai malware family, which is a widely known threat to IoT devices. All these samples have recently been submitted to VirusTotal at the beginning of March, it added. 

Nozomi observed that another behavior associated with the Mirai botnet is the exclusion of IP ranges belonging to the internal networks of the U.S. Department of Defense (DoD), U.S. Postal Service (USPS), General Electric (GE), Hewlett-Packard (HP), and others. “The same IP ranges are excluded from the scanning procedure in the sample we are analyzing. Moreover, we see that the verification of a randomly generated IP follows the same algorithm as the one implemented in Mirai’s source code,” the researchers noted.

Apart from working on completely new projects, attackers also commonly re-use already available code to build new malware, Nozomi noted. “Monitoring the evolution of these projects helps create more robust and generic detections that remain proactive for a longer time, thus providing better protections against modern cyberthreats,” it added.

Nozomi had detailed in February the BotenaGo malware in its semi-annual OT/IoT Security Report covering the second half of 2021. Once installed on a vulnerable machine, BotenaGo receives instructions from the command and control (C&C) to infect other devices. Most of the affected devices are network devices belonging to DrayTek, D-Link, Netgear, GPON, Linksys, XiongMai, Comtrend, Guangzhou, TOTOLINK, Tenda, ZyXEL, and ZTE, the company said in February.

“One of the 30 exploits used by this malware targets Boa, a discontinued webserver used for embedded applications. A search for the targeted version of Boa in Shodan shows approximately 1.5 million exposed devices, which are thus potentially vulnerable and could be targets of a BotenaGo attack,” the report added.

Nozomi is one of the founding members of the OT Cyber Coalition (Operational Technology Cybersecurity Coalition) announced last week, which will work together with government and industry partners, while also advocating for vendor-neutral, interoperable, standards-based cybersecurity solutions. The Coalition will focus on using collective experience to safeguard the nation’s critical infrastructure assets and improve the cybersecurity of OT environments.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.