Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?



New BotenaGo Variant Infects Lilin Security Cameras With Mirai

A newly identified variant of the BotenaGo malware is specifically targeting security cameras manufactured by Taiwan-based Lilin, warns OT and IoT security firm Nozomi Networks.

A newly identified variant of the BotenaGo malware is specifically targeting security cameras manufactured by Taiwan-based Lilin, warns OT and IoT security firm Nozomi Networks.

The threat is based on the source code of the Go-written BotenaGo malware, which was leaked online in October 2021, but its sole purpose appears to be the infection of compromised devices with Mirai.

The original BotenaGo contained over 30 exploits for known vulnerabilities in routers and other types of IoT devices. The malware could create two backdoor ports on infected devices, and execute remote shell commands.

With a low detection rate, the new variant of the malware – which Nozomi refers to as Lillin scanner – was stripped of most of the 30 exploits in the original source code and repurposed to target a two-year-old vulnerability in Lillin security camera DVR devices.

The researchers believe that the Lillin scanner might be used in manual mode alongside another tool that creates lists of Lilin devices, because it doesn’t check for given IPs. However, it does iterate through IP addresses it receives – just as the original BotenaGo did – to run an infection routine.

[ READ: Spring4Shell Vulnerability Exploited by Mirai Botnet ]

Lillin scanner contains a total of 11 user-password pairs that are “Base64-encoded to be used in the basic authentication needed to exploit the vulnerability that allows the Remote Code Execution (RCE),” Nozomi Networks explains.

If the malware considers the authentication attempt to be successful, it will move to exploiting a Network Time Protocol (NTP) configuration vulnerability that was identified in Lilin DVRs in 2020. The security flaw has a CVSS score of 10, but the vendor hasn’t provided a CVE identifier for it.

Advertisement. Scroll to continue reading.

After compromising the target, the malware downloads payloads targeting multiple architectures (ARM, x86, MIPS, Motorola 68000, PowerPC, SPARC, and SuperH), and attempts to execute them on the camera.

According to Nozomi Networks, all of these payload samples belong to the Mirai family and all of them were submitted to VirusTotal in early March 2022.

“It seems that this tool has been quickly built using the code base of the BotenaGo malware. It shouldn’t be confused with a worm as its main goal is to infect its victims with Mirai executables with a list of IP addresses provided as input; it can’t automatically propagate itself,” Nozomi Networks concludes.

Related: Mirai Botnet Starts Exploiting OMIGOD Flaw as Microsoft Issues More Guidance

Related: Mirai-Based ‘Manga’ Botnet Targets Recent TP-Link Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights