New BotenaGo Malware Variant Executes Stealth Attacks Against DVR Devices

Researchers have detected a new variant of the BotenaGo malware attacking DVR devices. This malware previously caught attention when it targeted IoT devices. Now, it seems the malware has improved to target DVR systems while escaping detection.

BotenaGo Variant Targeting DVR Devices Discovered

Researchers from the Nozomi Networks Labs have found a new BotenaGo malware variant in the wild.

BotenaGo is a Golang-based malware that came into the limelight in 2021 due to its sneaky behavior and stealth attacks. At that time, the malware threatened IoT devices’ security by exploiting known exploits.

And now, it seems the malware authors have improvised BotenaGo to execute more sneaky attacks. According to the researchers, the new BotenaGo variant specifically targets Lilin security camera DVR devices (hence named “Lilin scanner.”)

This variant has succeeded in staying under the radar as it has a small malicious code. Furthermore, its authors have stripped the significant number of exploits in the original BotenaGo to only focus on a specific exploit.

In the recent campaign, the malware variant scans the target device for a known Lilin vulnerability that caught attention in 2020. The researchers, at that time, detected it as a zero-day flaw under active attack to spread botnets.

While Lilin patched the vulnerability right then, the usual problem of not giving attention to patching devices has triggered this attack.

The BotenaGo variant scans the devices against a list of IP addresses of exploitable devices.

The scanner will send particularly crafted HTTP POST requests to the URL paths /dvr/cmd and /cn/cmd in order to exploit a command injection vulnerability in the web interface.

It then executes arbitrary codes on the target device, usually involving Mirai malware samples.

The researchers have shared the technical details of the attack in their post.

As for users, this attack again highlights the importance of updating devices regularly to avoid potential exploits.

Let us know your thoughts in the comments.

Related posts

Hard-Coded Credentials Vulnerability Found In Kubernetes Image Builder

Critical Vulnerability Patched In Jetpack WordPress Plugin

Astaroth Banking Malware Runs Actively Targets Users In Brazil