Skip links

EnemyBot malware adds enterprise flaws to exploit arsenal

The botnet malware EnemyBot has added exploits to its arsenal, allowing it to infect and spread from enterprise-grade gear.

What’s worse, EnemyBot’s core source code, minus its exploits, can be found on GitHub, so any miscreant can use the malware to start crafting their own outbreaks of this software nasty.

The group behind EnemyBot is Keksec, a collection of experienced developers, also known as Nero and Freakout, that have been around since 2016 and have launched a number of Linux- and Windows-based bots capable of launching distributed denial-of-service (DDoS) attacks and possibly mining cryptocurrency. Securonix first wrote about EnemyBot in March.

A report by Fortinet’s FortiGuard Labs researchers in April found that newer strains of EnemyBot abused known bugs in routers from vendors including D-Link, NetGear, and Zyxel, and Internet of Things (IoT) devices, as well as high-profile vulnerabilities, such as Log4Shell.

Now AT&T’s Alien Labs threat intelligence group reports that the botnet has added even more exploits, this time for two dozen vulnerabilities in VMware Workspace ONE Access, WordPress, and Adobe ColdFusion, plus various IoT and Android devices, and so on. These security holes are mostly used by the malware to spread from infected machine to machine.

“The threat group behind EnemyBot, Keksec, is well-resourced and has the ability to update and add new capabilities to its arsenal of malware on a daily basis,” Ofer Caspi, a security researcher with Alien Labs, wrote in a blog post this month.

“Most of EnemyBot functionality relates to the malware’s spreading capabilities, as well as its ability to scan public-facing assets and look for vulnerable devices. However, the malware also has DDoS capabilities and can receive commands to download and execute new code (modules) from its operators that give the malware more functionality.”

This latest variant comes with a scanner that probes public-facing devices and web servers for any one of the aforementioned 24 vulnerabilities to exploit to commandeer equipment. Among these exploits is one for a critical remote code execution (RCE) flaw (CVE-2022-22954) from April that affects VMware’s Workspace ONE Access and VMware Identity Manager.

There is also an exploit for a critical RCE flaw tracked as CVE-2022-1388 that impacts F5 Network’s BIG-IP portfolio, which has been exploited in the wild by bad actors.

A number of the vulnerabilities on EnemyBot’s list – such as RCEs threatening Adobe ColdFusion 11 and PHP Scriptcase 9.7 – don’t have a CVE number.

Full time

The owner of the EnemyBot code repository on GitHub describes themselves as a “full time malware dev” who can be tapped up by others for contract work, according to Alien Labs. The developer says their workplace is “Kek security,” which Caspi says suggests a relationship with Keksec.

The repo includes a Python script file that fetches dependencies and compiles the malware for various processor architectures, such as x86, Arm, PowerPC, and MIPS, and operating systems including Linux, FreeBSD, and macOS. Once compiled, a downloader is created that, when run on a compromised device, fetches and runs built EnemyBot executables. So, the idea would be: build the malware, generate a downloader that fetches the malware once on a compromised machine, get the bot onto a few victims’ devices, and let it rip, scanning the internet for more systems to automatically infect and run itself on.

The main source code provides the core functionality of the malware minus the vulnerability exploits, and brings in code from other botnets, including Mirai, Qbot, and Zbot. Another module obfuscates the malware to help it evade detection, and another provides command-and-control (C&C) functionality to receive and run commands from whoever’s controlling that botnet strain’s infected devices.

The malware randomly scans IP addresses, Caspi wrote. When it finds a target, EnemyBot tries to exploit it. The software nasty’s exploit code can be supplied as a payload from the C&C or built into the EnemyBot binary, it seems, though it’s missing from the public source.

If an Android device is connected via USB or there is an Android emulator running on a compromised system, the malware tries to infect it. Once inside a hijacked machine, EnemyBot will automatically scan for additional vulnerable devices while also awaiting commands from its C&C. It can also attempt to use default Telnet username-and-password combinations to log into remote equipment.

“Keksec’s EnemyBot appears to be just starting to spread,” Caspi wrote. “However due to the authors’ rapid updates, this botnet has the potential to become a major threat for IoT devices and web servers. The malware can quickly adopt one-day vulnerabilities (within days of a published proof of concept).”

The ability to rapidly evolve “indicates that the Keksec group is well resourced and that the group has developed the malware to take advantage of vulnerabilities before they are patched, thus increasing the speed and scale at which it can spread,” he wrote.

That ability was alluded to by FortiGuard researchers, who wrote that “this mix of exploits targeting web servers and applications beyond the usual IoT devices, coupled with the wide range of supported architectures, might be a sign of Keksec testing the viability of expanding the botnet beyond low-resource IoT devices for more than just DDoS attacks. Based on their previous botnet operations, using them for cryptomining is a big possibility.”

Alien Labs recommends enterprises reduce the exposure of Linux servers and IoT devices to the internet, use properly configured firewalls, enable automatic updates, and monitor network traffic. ®