Operators behind the EnemyBot botnet are expanding the list of potential targets adding exploits for recently disclosed critical vulnerabilities in from VMware, F5 BIG-IP, and Android.
The botnet was first discovered by Fortinet in March, the DDoS botnet targeted several routers and web servers by exploiting known vulnerabilities. The botnet targets multiple architectures, including arm, bsd, x64, and x86.
The researchers attribute the botnet to the cybercrime group Keksec which focuses on DDoS-based extortion. Upon installing the threat, the bot drops a file in /tmp/.pwned, containing a message that attributes itself to Keksec. The message was stored as cleartext in earlier samples, new samples were released with the message encoded with an XOR operation using a multiple-byte key.
Experts pointed out that the malware is being actively developed.
The Enemybot botnet borrows the code from the Gafgyt bot and re-used some codes from the infamous Mirai botnet. Gafgyt is a popular choice for launching large-scale DDoS attacks, it first appeared in the threat landscape in 2014. The botnet implements multiple obfuscation techniques to avoid detection and hides C2 on the Tor network.
The Enemybot botnet employs several methods to spread and targets other IoT devices. It uses a list of hardcoded username/password combinations to login into devices in the attempt to access systems using weak or default credentials. The bot also tries to run shell commands to infect misconfigured Android devices that expose the Android Debug Bridge port (5555).
The first version of the bot exploits tens of known vulnerabilities including:
Now researchers from AT&T Alien Labs analyzed the latest variants of the EnemyBot bot and discovered that it included exploits for 24 vulnerabilities, including issues that don’t even have a CVE number.
“We have also listed the current vulnerabilities EnemyBot uses. As mentioned, some of them have not been assigned a CVE yet.” states the report published by AT&T Alien Labs.
CVE Number | Affected devices |
CVE-2021-44228, CVE-2021-45046 | Log4J RCE |
CVE-2022-1388 | F5 BIG IP RCE |
No CVE (vulnerability published on 2022-02) | Adobe ColdFusion 11 RCE |
CVE-2020-7961 | Liferay Portal – Java Unmarshalling via JSONWS RCE |
No CVE (vulnerability published on 2022-04) | PHP Scriptcase 9.7 RCE |
CVE-2021-4039 | Zyxel NWA-1100-NH Command injection |
No CVE (vulnerability published on 2022-04) | Razar Sila – Command injection |
CVE-2022-22947 | Spring Cloud Gateway – Code injection vulnerability |
CVE-2022-22954 | VMWare Workspace One RCE |
CVE-2021-36356, CVE-2021-35064 | Kramer VIAware RCE |
No CVE (vulnerability published on 2022-03) | WordPress Video Synchro PDF plugin LFI |
No CVE (vulnerability published on 2022-02) | Dbltek GoIP LFI |
No CVE(vulnerability published on 2022-03) | WordPress Cab Fare Calculator plugin LFI |
No CVE(vulnerability published on 2022-03) | Archeevo 5.0 LFI |
CVE-2018-16763 | Fuel CMS 1.4.1 RCE |
CVE-2020-5902 | F5 BigIP RCE |
No CVE (vulnerability published on 2019) | ThinkPHP 5.X RCE |
No CVE (vulnerability published on 2017) | Netgear DGN1000 1.1.00.48 ‘Setup.cgi’ RCE |
CVE-2022-25075 | TOTOLink A3000RU command injection vulnerability |
CVE-2015-2051 | D-Link devices – HNAP SOAPAction – Header command injection vulnerability |
CVE-2014-9118 | ZHOME < S3.0.501 RCE |
CVE-2017-18368 | Zyxel P660HN – unauthenticated command injection |
CVE-2020-17456 | Seowon SLR 120 router RCE |
CVE-2018-10823 | D-Link DWR command injection in various models |
The new variant of the bot includes exploits for the following security issues:
AT&T researchers reported the availability of the EnemyBot source code on GitHub, this means that threat actors can modify it to create their own version of the bot.
Researchers recommend properly configuring the firewall to protect the devices exposed online, enable automatic updates, and monitor network traffic.
“Keksec’s EnemyBot appears to be just starting to spread, however due to the authors’ rapid updates, this botnet has the potential to become a major threat for IoT devices and web servers. The malware can quickly adopt one-day vulnerabilities (within days of a published proof of concept).” concludes the report. “This indicates that the Keksec group is well resourced and that the group has developed the malware to take advantage of vulnerabilities before they are patched, thus increasing the speed and scale at which it can spread.”
Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.
Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)
To nominate, please visit:
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, EnemyBot)
[adrotate banner=”5″]
[adrotate banner=”13″]