For those unfamiliar, BotenaGo is a relatively new malware written in Google’s open source Golang programming language. While it was originally used to target IoT devices in an effort to create botnets, BotenaGo’s source code was leaked online back in October of last year.
In the time since, cybercriminals have developed several new variants of the malware while also improving the original by adding new exploits to target millions of connected devices.
Now though, Nozomi Networks Labs has discovered a new variant that appears to be derived from the leaked source code. However, the sample analyzed by the firm’s security researchers exclusively targets Lilin security camera DVR devices which is why it has been dubbed “Lillin scanner”.
Lillin BotenaGo variant
Another thing that sets Lillin scanner apart from the original BotenaGo malware is that the variant is currently undetected by every antivirus engine on VirusTotal.
According to a report from BleepingComputer, this could be because the malware variant’s authors have removed all of the exploits found in the original BotenaGo. Instead, they’ve written the malware to only focus on Lilin DVRs by exploiting a two-year-old critical remote code execution vulnerability. Casting a smaller net for potential targets makes sense in this case as there are still a significant number of unpatched Lilin DVR devices in the wild.
An additional key difference between BotenaGo and Lillin scanner is that the new malware variant leverages an external mass-scanning tool to create lists of the IP addresses of vulnerable devices. Nozomi’s researchers also highlight the fact in their blog post on the matter that the cybercriminals behind Lillin scanner have specifically programmed it to avoid infecting IP addresses that belong to the US Department of Defense (DOD), the US Postal Service (USPS), General Electric, Hewlett Packard and other businesses.
Once a vulnerable device is infected by Lillin scanner, Mirai payloads are then downloaded and executed on it. Still though, this new BotenaGo variant isn’t such a massive threat as it only targets devices from a specific manufacturer.