New BotenaGo Variant Infects Lilin Security Cameras With Mirai

A newly identified variant of the BotenaGo malware is specifically targeting security cameras manufactured by Taiwan-based Lilin, warns OT and IoT security firm Nozomi Networks.

The threat is based on the source code of the Go-written BotenaGo malware, which was leaked online in October 2021, but its sole purpose appears to be the infection of compromised devices with Mirai.

The original BotenaGo contained over 30 exploits for known vulnerabilities in routers and other types of IoT devices. The malware could create two backdoor ports on infected devices, and execute remote shell commands.

With a low detection rate, the new variant of the malware – which Nozomi refers to as Lillin scanner – was stripped of most of the 30 exploits in the original source code and repurposed to target a two-year-old vulnerability in Lillin security camera DVR devices.

The researchers believe that the Lillin scanner might be used in manual mode alongside another tool that creates lists of Lilin devices, because it doesn’t check for given IPs. However, it does iterate through IP addresses it receives – just as the original BotenaGo did – to run an infection routine.

[ READ: Spring4Shell Vulnerability Exploited by Mirai Botnet ]

Lillin scanner contains a total of 11 user-password pairs that are “Base64-encoded to be used in the basic authentication needed to exploit the vulnerability that allows the Remote Code Execution (RCE),” Nozomi Networks explains.

If the malware considers the authentication attempt to be successful, it will move to exploiting a Network Time Protocol (NTP) configuration vulnerability that was identified in Lilin DVRs in 2020. The security flaw has a CVSS score of 10, but the vendor hasn’t provided a CVE identifier for it.

After compromising the target, the malware downloads payloads targeting multiple architectures (ARM, x86, MIPS, Motorola 68000, PowerPC, SPARC, and SuperH), and attempts to execute them on the camera.

According to Nozomi Networks, all of these payload samples belong to the Mirai family and all of them were submitted to VirusTotal in early March 2022.

“It seems that this tool has been quickly built using the code base of the BotenaGo malware. It shouldn’t be confused with a worm as its main goal is to infect its victims with Mirai executables with a list of IP addresses provided as input; it can’t automatically propagate itself,” Nozomi Networks concludes.

Related: Mirai Botnet Starts Exploiting OMIGOD Flaw as Microsoft Issues More Guidance

Related: Mirai-Based ‘Manga’ Botnet Targets Recent TP-Link Vulnerability