EnemyBot malware adds new exploits to target CMS servers and Android devices

Pierluigi Paganini May 30, 2022

The operators of the EnemyBot botnet added exploits for recently disclosed flaws in VMware, F5 BIG-IP, and Android systems.

Operators behind the EnemyBot botnet are expanding the list of potential targets adding exploits for recently disclosed critical vulnerabilities in from VMware, F5 BIG-IP, and Android.

The botnet was first discovered by Fortinet in March, the DDoS botnet targeted several routers and web servers by exploiting known vulnerabilities. The botnet targets multiple architectures, including arm, bsd, x64, and x86.

The researchers attribute the botnet to the cybercrime group Keksec which focuses on DDoS-based extortion. Upon installing the threat, the bot drops a file in /tmp/.pwned, containing a message that attributes itself to Keksec. The message was stored as cleartext in earlier samples, new samples were released with the message encoded with an XOR operation using a multiple-byte key.

Experts pointed out that the malware is being actively developed.

The Enemybot botnet borrows the code from the Gafgyt bot and re-used some codes from the infamous Mirai botnet. Gafgyt is a popular choice for launching large-scale DDoS attacks, it first appeared in the threat landscape in 2014. The botnet implements multiple obfuscation techniques to avoid detection and hides C2 on the Tor network.

The Enemybot botnet employs several methods to spread and targets other IoT devices. It uses a list of hardcoded username/password combinations to login into devices in the attempt to access systems using weak or default credentials. The bot also tries to run shell commands to infect misconfigured Android devices that expose the Android Debug Bridge port (5555).

The first version of the bot exploits tens of known vulnerabilities including:

Now researchers from AT&T Alien Labs analyzed the latest variants of the EnemyBot bot and discovered that it included exploits for 24 vulnerabilities, including issues that don’t even have a CVE number.

“We have also listed the current vulnerabilities EnemyBot uses. As mentioned, some of them have not been assigned a CVE yet.” states the report published by AT&T Alien Labs.

CVE NumberAffected devices
CVE-2021-44228, CVE-2021-45046Log4J RCE
CVE-2022-1388F5 BIG IP RCE
No CVE (vulnerability published on 2022-02)Adobe ColdFusion 11 RCE
CVE-2020-7961Liferay Portal – Java Unmarshalling via JSONWS RCE
No CVE (vulnerability published on 2022-04)PHP Scriptcase 9.7 RCE
CVE-2021-4039Zyxel NWA-1100-NH Command injection
No CVE (vulnerability published on 2022-04)Razar Sila – Command injection
CVE-2022-22947Spring Cloud Gateway – Code injection vulnerability
CVE-2022-22954VMWare Workspace One RCE
CVE-2021-36356, CVE-2021-35064Kramer VIAware RCE
No CVE (vulnerability published on 2022-03)WordPress Video Synchro PDF plugin LFI
No CVE (vulnerability published on 2022-02)Dbltek GoIP LFI
No CVE(vulnerability published on 2022-03)WordPress Cab Fare Calculator plugin LFI
No CVE(vulnerability published on 2022-03)Archeevo 5.0 LFI
CVE-2018-16763Fuel CMS 1.4.1 RCE
CVE-2020-5902F5 BigIP RCE
No CVE (vulnerability published on 2019)ThinkPHP 5.X RCE
No CVE (vulnerability published on 2017)Netgear DGN1000 ‘Setup.cgi’ RCE
CVE-2022-25075TOTOLink A3000RU command injection vulnerability
CVE-2015-2051D-Link devices – HNAP SOAPAction – Header command injection vulnerability
CVE-2014-9118ZHOME < S3.0.501 RCE
CVE-2017-18368Zyxel P660HN – unauthenticated command injection
CVE-2020-17456Seowon SLR 120 router RCE
CVE-2018-10823D-Link DWR command injection in various models


The new variant of the bot includes exploits for the following security issues:

AT&T researchers reported the availability of the EnemyBot source code on GitHub, this means that threat actors can modify it to create their own version of the bot.

Researchers recommend properly configuring the firewall to protect the devices exposed online, enable automatic updates, and monitor network traffic.

“Keksec’s EnemyBot appears to be just starting to spread, however due to the authors’ rapid updates, this botnet has the potential to become a major threat for IoT devices and web servers. The malware can quickly adopt one-day vulnerabilities (within days of a published proof of concept).” concludes the report. “This indicates that the Keksec group is well resourced and that the group has developed the malware to take advantage of vulnerabilities before they are patched, thus increasing the speed and scale at which it can spread.”

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 


Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, EnemyBot)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment