New Linux Botnet Variant "EnemyBot" Appears! Exploiting Web Server, Android, and CMS Vulnerabilities

Recently, a new variant of the Linux-based botnet "Enemybot" appeared, the "Enemybot" was found to have expanded its attack target to target the security vulnerabilities of web servers, Android devices and content management systems (CMS).

"The malware (Enemybot) is rapidly incorporating 1-day exploits as part of its attack capabilities," AT&T Alien Labs said in a technical report released last week. "Services like VMware Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase, and IoT and Android devices will all be targeted."

There are reports that Enemybot was first disclosed by Securonix and later by Fortinet as early as March this year. Enemybot is associated with a threat actor tracked as Keksec (aka Kek Security, Necro, and FreakOut), with earlier attacks targeting routers from Seowon Intech, D-Link, and iRZ.

Enemybot: a new variant of the botnet

The so-called botnet "Botnet" refers to a one-to-many controllable network formed between the controller and the infected host by infecting a large number of hosts with the bot program (bot program) virus by one or more means of propagation. . "The attacker spreads the bot program to infect a large number of hosts on the Internet through various means, and the infected host will receive the attacker's instructions through a control channel to form a botnet."

It is understood that Enemybot, which can perform DDoS attacks, is a new variant of the botnet and originates from several other botnets (such as Mirai, Qbot, Zbot, Gafgyt, and LolFMe).

The analysis of this latest variant shows that Enemybot is composed of different parts of the above four botnets:

• A Python module to download dependencies and compile malware for different OS architectures
• The heart of a botnet
• Obfuscated segment designed to encode and decode malware strings
• Command and control functions for receiving attack commands and acquiring additional payloads

The researchers noted that if an Android device is connected via USB, or via an Android emulator running on the machine, EnemyBot tries to "infect" it by executing a shell command (the "adb_infect" function). adb refers to the Android Debug Bridge, a command-line utility for communicating with Android devices.

In addition, EnemyBot has integrated a new scanning feature designed to search random IP addresses associated with public-facing assets for potential security flaws, including new vulnerabilities that emerge within days of public disclosure.

For example, in addition to the Log4Shell vulnerability exposed in December 2021, this also includes recently patched in Razer Sila routers (no CVE), VMware Workspace ONE Access (CVE-2022-22954), and F5 BIG-IP (CVE-2022-1388). bugs, and bugs in WordPress plugins like Video Synchro PDF.

Other security flaws are as follows:

• CVE-2022-22947 (CVSS Score: 10.0) - Code Injection Vulnerability in Spring Cloud Gateway
• CVE-2021-4039 (CVSS Score: 9.8) - Command Injection Vulnerability in Zyxel's Web Interface
• CVE-2022-25075 (CVSS Score: 9.8) - Command Injection Vulnerability in TOTOLink A3000RU Wireless Router
• CVE-2021-36356 (CVSS Score: 9.8) - Remote Code Execution Vulnerability in KRAMER VIAware
• CVE-2021-35064 (CVSS Score: 9.8) - Privilege Escalation and Command Execution Vulnerability in Kramer VIAWare
• CVE-2020-7961 (CVSS Score: 9.8) - Remote Code Execution Vulnerability in Liferay Portal

Currently, the source code of the botnet "EnemyBot" has been shared on GitHub, making it widely available to other threat actors.

"I am not responsible for any damages caused by this program," reads the GitHub readme for the project. "This is posted under Apache license and is also considered art". "

"Keksec's Enemybot appears to be just starting to spread, but thanks to the author's quick updates, this botnet has the potential to become a major threat to IoT devices and web servers," the researchers said.

"This suggests that the Keksec group, which developed the malware to exploit the vulnerability before it was patched, was well resourced, increasing the speed and scale of its spread."

According to reports, EnemyBot is a new member of the Keksec botnet family, also modified from Gafgyt. Its malicious programs reuse a lot of code from programs belonging to the Keksec botnet family (including LOLFME, Gafgyt, Gafgyt_Tor, Necro, etc.).

Since EnemyBot is a botnet based on multiple malware codes and is expanding its reach by rapidly adding exploits, its new variant has now added 24 exploits targeting different devices and web servers.

Reference link: https://thehackernews.com/2022/05/enemybot-linux-botnet-now-exploits-web.html