A new distributed denial-of-service botnet has been detected in the wild.
Update. According to a new research released by AT&T, EnemyBot is now quickly adopting “one-day vulnerabilities as part of its exploitation capabilities.” Services such as VMware Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase, as well as IoT and Android devices are also being targeted in these new campaigns. More specifically, the latest variant includes a webscan function that contains 24 exploits to attack vulnerabilities in the aforementioned devices and web servers.
Dubbed EnemyBot and disclosed by FortiGuard Labs researchers, the botnet has a critical impact on specific devices, including Seowon Intech and D-Link routers, and it also exploits a recently reported iRZ router vulnerability to infect more devices. Researchers say it has been derived from Gafgyt’s source code, and has borrowed several modules from Mirai’s original source code. EnemyBotnet has been attributed to Keksec, a threat group that specializes in cryptomining and DDoS attacks.
EnemyBot Technical Details
Like most botnets, this one also infects multiple architectures to increase its chances of infecting more devices. In addition to IoT devices, Enemybot also targets desktop and server architectures such as BSD, including Darwin (macOS), and x64, FortiGuard report said.
Here’s a list of the architectures the botnet targets:
EnemyBot uses obfuscation to obfuscate strings in several ways:
C2 domain uses XOR encoding with a multi-byte ke
Credentials for SSH brute-forcing and bot killer keywords use Mirai-style encoding, i.e., single byte XOR encoding with 0x22
Commands are encrypted with a substitution cipher, i.e,, swapping one character for another
Some strings are encoded by just adding three to the numeric value of each character
Even though these techniques are simple, they are efficient enough to hide any indicators of the malware presence from analysis. As a matter of fact, most IoT and DDoS botnets are designed to locate such indicators to terminate other botnets from running on the same device.
Enemybot leverages several distribution techniques, also typical for other similar botnets, such as using a list of hardcoded username and password combinations to login into devices. These devices are usually weakly configured or use default credentials. Mirai used the same technique.
To infect misconfigured Android devices with an exposed Android Debud Bridge port (5555), the malware attempts running shell commands. The botnet also uses security vulnerabilities to target specific devices, such as in SEOWON INTECH SLC-130 and SLR-120S routers and CVE-2018-10823 in D-Link routers.
Earlier this month, we wrote about another botnet disclosed by FortiGuard, which was considered another variant of the Mirai. Called Beastmode, the botnet was exploiting a list of specific vulnerabilities in TOTOLINK routers.
The critical vulnerabilities are relatively new, disclosed in the period between February and March 2022. Affected is the Linux platform. As a result of the vulnerabilities, remote attackers could gain control over the exposed systems.