EnemyBot malware adds new exploits to target CMS servers and Android devices

The operators of the EnemyBot botnet added exploits for recently disclosed flaws in VMware, F5 BIG-IP, and Android systems.

Operators behind the EnemyBot botnet are expanding the list of potential targets adding exploits for recently disclosed critical vulnerabilities in from VMware, F5 BIG-IP, and Android.

The botnet was first discovered by Fortinet in March, the DDoS botnet targeted several routers and web servers by exploiting known vulnerabilities. The botnet targets multiple architectures, including arm, bsd, x64, and x86.

The researchers attribute the botnet to the cybercrime group Keksec which focuses on DDoS-based extortion. Upon installing the threat, the bot drops a file in /tmp/.pwned, containing a message that attributes itself to Keksec. The message was stored as cleartext in earlier samples, new samples were released with the message encoded with an XOR operation using a multiple-byte key.

Experts pointed out that the malware is being actively developed.

The Enemybot botnet borrows the code from the Gafgyt bot and re-used some codes from the infamous Mirai botnet. Gafgyt is a popular choice for launching large-scale DDoS attacks, it first appeared in the threat landscape in 2014. The botnet implements multiple obfuscation techniques to avoid detection and hides C2 on the Tor network.

The Enemybot botnet employs several methods to spread and targets other IoT devices. It uses a list of hardcoded username/password combinations to login into devices in the attempt to access systems using weak or default credentials. The bot also tries to run shell commands to infect misconfigured Android devices that expose the Android Debug Bridge port (5555).

The first version of the bot exploits tens of known vulnerabilities including:

• CVE-2020-17456 vulnerability affecting SEOWON INTECH SLC-130 and SLR-120S routers;
• CVE-2018-10823 flaw an older D-Link routers (DWR-116 through 1.06, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, DWR-111 through 1.01).
• CVE-2022-27226 affecting iRZ mobile routers;
• CVE-2022-25075 to 25084: Targets TOTOLINK routers, previously exploited by the Beastmode botnet
• CVE-2021-44228/2021-45046: Better known as Log4j, more details are available on our Fortinet PSIRT blog
• CVE-2021-41773/CVE-2021-42013: Targets Apache HTTP servers
• CVE-2018-20062: Targets ThinkPHP CMS
• CVE-2017-18368: Targets Zyxel P660HN routers
• CVE-2016-6277: Targets NETGEAR routers
• CVE-2015-2051: Targets D-Link routers
• CVE-2014-9118: Targets Zhone routers
• NETGEAR DGN1000 exploit (No CVE assigned): Targets NETGEAR routers

Now researchers from AT&T Alien Labs analyzed the latest variants of the EnemyBot bot and discovered that it included exploits for 24 vulnerabilities, including issues that don’t even have a CVE number.

“We have also listed the current vulnerabilities EnemyBot uses. As mentioned, some of them have not been assigned a CVE yet.” states the report published by AT&T Alien Labs.

The new variant of the bot includes exploits for the following security issues:

• CVE-2022-22954: Critical RCE flaw in VMware Workspace ONE Access and VMware Identity Manager.
• CVE-2022-22947: RCE flaw in Spring.
• CVE-2022-1388: Critical RCE flaw in F5 BIG-IP.

AT&T researchers reported the availability of the EnemyBot source code on GitHub, this means that threat actors can modify it to create their own version of the bot.

Researchers recommend properly configuring the firewall to protect the devices exposed online, enable automatic updates, and monitor network traffic.

“Keksec’s EnemyBot appears to be just starting to spread, however due to the authors’ rapid updates, this botnet has the potential to become a major threat for IoT devices and web servers. The malware can quickly adopt one-day vulnerabilities (within days of a published proof of concept).” concludes the report. “This indicates that the Keksec group is well resourced and that the group has developed the malware to take advantage of vulnerabilities before they are patched, thus increasing the speed and scale at which it can spread.”

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, EnemyBot)

[adrotate banner=”5″]

[adrotate banner=”13″]