BotenaGo, a new IoT botnet version, has been discovered in the field, especially targeting Lilin security camera DVR devices and infecting them with Mirai malware. Nozomi Networks’ current version, dubbed “Lilin Scanner,” is aimed to target a two-year-old major command injection vulnerability in the DVR firmware, which the Taiwanese company addressed in February 2020.
BotenaGo is a Golang-based attack suite that includes more than 30 exploits for known security flaws in web servers, routers, and other IoT devices. It was initially reported by AT&T Alien Labs in November 2021. The source code for the botnet has subsequently been released on GitHub, leaving it vulnerable to other criminals.
“With only 2,891 lines of code, BotenaGo has the potential to be the starting point for many new variants and new malware families using its source code,” said the researchers.
After Chalubo, Fbot, and Moobot, the new BotenaGo virus is the latest to attack weaknesses in Lilin DVR devices. Qihoo 360’s Network Security Research Lab (360 Netlab) disclosed a fast-expanding DDoS botnet known as Fodcha earlier this month. Fodcha spreads using N-Day weaknesses and weak Telnet/SSH passwords.
One feature that distinguishes Lillin Scanner from BotenaGo is its dependency on external software to generate an IP address list of susceptible Lilin devices, which is then used to remotely execute arbitrary code on the target and deliver Mirai payloads using the issue as mentioned earlier. It’s worth noting that the virus can’t spread like a worm and can only be used to attack the IP addresses entered into the Mirai binary as input.
According to researchers, another characteristic of the Mirai botnet is the exclusion of IP ranges belonging to internal networks of the United States Department of Defense (DoD), General Electric (GE), United States Postal Service (USPS), Hewlett-Packard (HP), and others.
Lilin Scanner, like Mirai, appears to be spawning new malware offshoots by repurposing publicly available source code. “Its authors removed almost all of the 30+ exploits present in BotenaGo’s original source code,” the researchers said, adding, “it seems that this tool has been quickly built using the code base of the BotenaGo malware.”