New BotenaGo variant specifically targets Lilin security camera DVR devices

Researchers spotted a new variant of the BotenaGo botnet malware that is considered highly evasive and has a zero-detection rate.

The BotenaGo botnet was first spotted in November 2021 by researchers at AT&T, the malicious code leverages thirty-three exploits to target millions of routers and IoT devices.

BotenaGo was written in Golang (Go) and at the time of the report published by the experts, it had a low antivirus (AV) detection rate (6/62).

The BotenaGo source code is available online since October 2021 allowing multiple threat actors to create their own version by adding new exploits to infect the largest number possible.

Researchers at Nozomi Networks Labs have recently discovered a new BotenaGo variant that specifically targets Lilin security camera DVR devices.

The experts called the sample they analyzed “Lillin scanner” because of the name the developers used for it in the source code: /root/lillin.go. The bot was likely developed from the leaked source code.The sample they analyzed targets Lilin security camera DVR devices, which prompted the researchers to name it the “Lillin scanner”.

“We decided to monitor samples that could have been generated utilizing parts of the BotenaGo source code. In doing so, we discovered a sample that contained certain similarities of BotenaGo.” reads the analysis published by Nozomi Networks. “At the time of this research, the sample had not been detected by any malware detection engine in VirusTotal. Although the sample is quite large (2.8 MB), due to being written in Go, the portion of the actual malicious code is quite small and focuses on a single task.”

According to the experts, the authors removed almost all of the 30 exploits included in the original code of BotenaGo and reused some parts to exploit an RCE vulnerability affecting Lilin DVR devices.

The malware used the infectFunctionLilinDvr function to receive the IP address to scan, it first attempts to access the device behind that IP. The experts noticed that the Lillin scanner, unlike the BotenaGo malware, contains 11 pairs of user-password credentials in its code. The BotenaGo botnet reportedly abused only the couple of credentials root/icatch99 and report/8Jg0SR8K50.

When the device uses one of the credentials in the list, the malware exploits the vulnerability to execute arbitrary code.

“Lillin scanner will loop over the 11 encoded credentials and will sequentially try to access the root directory, changing the Base64 string in the Authorization field. When the server response contains the string HTTP/1.1 200 or HTTP/1.0 200 it will consider the authentication to be successful and will attempt the exploitation of the Network Time Protocol (NTP) configuration vulnerability.” continues the analysis. “This vulnerability, part of a set of security vulnerabilities affecting Lilin DVRs, was discovered in 2020 and was assigned a CVSS v3.1 score of 10.0 (Critical) by the vendor.”

The scanner can exploit the command injection vulnerability in the web interface of the DVR by sending specially crafted HTTP POST requests to the URL paths /dvr/cmd and /cn/cmd.

If successful, the request modifies the NTP configuration of the camera. The modified configuration contains a command that attempts to download a file named wget.sh from the IP address 136.144.41[.]169 and then executes its content. If the command injection to /dvr/cmd is not successful, the scanner attempts the same attack to the endpoint /cn/cmd. Once the attack is complete, another request to the same endpoint restores the original NTP configuration.

In the next stage of the attack, the wget.sh file downloads Mirai payloads compiled for multiple architectures and attempts to execute them on the compromised device. All these samples have been uploaded to VirusTotal at the beginning of March 2022.

Experts also noticed that the Mirai botnet employed in the attack excludes IP ranges belonging to the internal networks of the U.S. Department of Defense (DoD), U.S. Postal Service (USPS), General Electric (GE), Hewlett-Packard (HP), and others.

“Apart from working on completely new projects, attackers also commonly re-use already available code to build new malware. Monitoring the evolution of these projects helps create more robust and generic detections that remain proactive for a longer time, thus providing better protections against modern cyberthreats.” concludes Nozomi.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, BotenaGo botnet)

[adrotate banner=”5″]

[adrotate banner=”13″]