Cyber Crime

Enemybot, a new DDoS botnet appears in the threat landscape

Enemybot is a DDoS botnet that targeted several routers and web servers by exploiting known vulnerabilities.

Researchers from Fortinet discovered a new DDoS botnet, tracked as Enemybot, that has targeted several routers and web servers by exploiting known vulnerabilities. The botnet targets multiple architectures, including arm, bsd, x64, and x86.

The researchers attribute the botnet to the cybercrime group Keksec which focuses on DDoS-based extortion.

Upon installing the threat, the bot drops a file in /tmp/.pwned, containing a message that attributes itself to Keksec. The message was stored as cleartext in earlier samples, new samples were released with the message encoded with an XOR operation using a multiple-byte key.

Experts pointed out that the malware is being actively developed.

The Enemybot botnet borrows the code from the Gafgyt bot and re-used some codes from the infamous Mirai botnet. Gafgyt is a popular choice for launching large-scale DDoS attacks, it first appeared in the threat landscape in 2014.

“It uses several methods of obfuscation for its strings to hinder analysis and hide itself from other botnets. Furthermore, it connects to a command-and-control (C2) server that is hidden in the Tor network, making its takedown more complicated.” reads the analysis published by Fortinet. “Enemybot has been seen targeting routers from Seowon Intech, D-Link, and exploits a recently reported iRZ router vulnerability to infect more devices.”

The botnet implements multiple obfuscation techniques to avoid detection and hides C2 on the Tor network.

The Enemybot botnet employs several methods to spread and targets other IoT devices. It uses a list of hardcoded username/password combinations to login into devices in the attempt to access systems using weak or default credentials. The bot also tries to run shell commands to infect misconfigured Android devices that expose Android Debug Bridge port (5555).

The malware exploits tens of known vulnerabilities including:

Once exploited one of the above flaws, the bot runs a shell command to download a shell script from a URL that is dynamically updated by the C2 using the command LDSERVER. Then the script downloads the actual Enemybot binary which is compiled for the target device’s architecture.

In case the download server is down, the botnet operators can update the bot clients with a new URL.

Once the bot has been installed on a device, it connects to its C2 server and waits for further commands

Below is the list of supported commands:

“Based on the analysis of FortiGuard Labs, Enemybot is Keksec’s latest tool for performing DDoS attacks.” Fortinet notes. “To protect itself, it uses simple obfuscation techniques on its strings as well as hosting its C2 server in the Tor network, taking advantage of the network’s anonymity. It uses several techniques commonly found in other DDoS botnet malware to infect other devices.”

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Enemybot)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

U.S. CISA adds a Samsung MagicINFO 9 Server flaw to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Samsung MagicINFO 9 Server vulnerability to its…

36 minutes ago

New Signal update stops Windows from capturing user chats

Signal implements new screen security on Windows 11, blocking screenshots by default to protect user…

8 hours ago

Law enforcement dismantled the infrastructure behind Lumma Stealer MaaS

Microsoft found 394,000 Windows systems talking to Lumma stealer controllers, a victim pool that included…

13 hours ago

Russia-linked APT28 targets western logistics entities and technology firms

CISA warns Russia-linked group APT28 is targeting Western logistics and tech firms aiding Ukraine, posing…

16 hours ago

A cyberattack was responsible for the week-long outage affecting Cellcom wireless network

Cellcom, a regional wireless carrier based in Wisconsin (US), announced that a cyberattack is the…

1 day ago

Coinbase data breach impacted 69,461 individuals

Cryptocurrency exchange Coinbase announced that the recent data breach exposed data belonging to 69,461 individuals.…

1 day ago