[MART] - Daily Diary #495 - BotenaGo Code Reused

CTAS-MAT ctas-mat at appgate.com
Wed Apr 20 21:19:47 UTC 2022 

Hello,

I hope everyone is doing well!

Below is the entry for today.

04/20/2022 - Diary entry #495:

Covered in our Daily Diaries #389 and #441, BotenaGo is a Botnet malware written in Go language. Its source code was leaked on GitHub and it relies on 33 vulnerabilities to target millions of routers and IoT devices. When executed, it spawns a reverse shell and telnet loaders that act both as a backdoor, to receive and execute commands sent by the attackers.

As BotenaGo's code became publicly available, we were expecting new variants to arise. Now, a new variant was spotted specifically targeting a security camera DVR device named Lilin. This threat has a low AV detection rate as the original BotenaGo but this one is even stealthier. Its author removed all the original exploits and implemented only a new one responsible for attacking the Lilin DVRs devices.

The vulnerability was disclosed in 2020 and it has a patched firmware update available since then. After exploiting the vulnerability, it downloads multiple executables for multiple architectures: ARM, Motorola 68000, MIPS, PowerPC, SPARC, SuperH, and x86. The executables are from the Mirai malware family, a botnet covered by multiple of our Daily Diaries that had its source code leaked as well.

Malware code reuse is a double-edged sword. It allows for security teams to develop detection and protections to prevent new attacks. On the contrary, it enables other threat actors to get their hands on the malware and develop their own version, taking advantage of Go language malware's low detection rate.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220420/4f4c2320/attachment.htm>

More information about the MART mailing list