Connect with us

Hi, what are you looking for?



New BotenaGo Variant Infects Lilin Security Cameras With Mirai

A newly identified variant of the BotenaGo malware is specifically targeting security cameras manufactured by Taiwan-based Lilin, warns OT and IoT security firm Nozomi Networks.

A newly identified variant of the BotenaGo malware is specifically targeting security cameras manufactured by Taiwan-based Lilin, warns OT and IoT security firm Nozomi Networks.

The threat is based on the source code of the Go-written BotenaGo malware, which was leaked online in October 2021, but its sole purpose appears to be the infection of compromised devices with Mirai.

The original BotenaGo contained over 30 exploits for known vulnerabilities in routers and other types of IoT devices. The malware could create two backdoor ports on infected devices, and execute remote shell commands.

With a low detection rate, the new variant of the malware – which Nozomi refers to as Lillin scanner – was stripped of most of the 30 exploits in the original source code and repurposed to target a two-year-old vulnerability in Lillin security camera DVR devices.

The researchers believe that the Lillin scanner might be used in manual mode alongside another tool that creates lists of Lilin devices, because it doesn’t check for given IPs. However, it does iterate through IP addresses it receives – just as the original BotenaGo did – to run an infection routine.

[ READ: Spring4Shell Vulnerability Exploited by Mirai Botnet ]

Lillin scanner contains a total of 11 user-password pairs that are “Base64-encoded to be used in the basic authentication needed to exploit the vulnerability that allows the Remote Code Execution (RCE),” Nozomi Networks explains.

Advertisement. Scroll to continue reading.

If the malware considers the authentication attempt to be successful, it will move to exploiting a Network Time Protocol (NTP) configuration vulnerability that was identified in Lilin DVRs in 2020. The security flaw has a CVSS score of 10, but the vendor hasn’t provided a CVE identifier for it.

After compromising the target, the malware downloads payloads targeting multiple architectures (ARM, x86, MIPS, Motorola 68000, PowerPC, SPARC, and SuperH), and attempts to execute them on the camera.

According to Nozomi Networks, all of these payload samples belong to the Mirai family and all of them were submitted to VirusTotal in early March 2022.

“It seems that this tool has been quickly built using the code base of the BotenaGo malware. It shouldn’t be confused with a worm as its main goal is to infect its victims with Mirai executables with a list of IP addresses provided as input; it can’t automatically propagate itself,” Nozomi Networks concludes.

Related: Mirai Botnet Starts Exploiting OMIGOD Flaw as Microsoft Issues More Guidance

Related: Mirai-Based ‘Manga’ Botnet Targets Recent TP-Link Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...