Securonix researchers first discovered EnemyBot, a strain of malware targeting the internet of things (IoT), in March 2022. They and other researchers believe it is spread by the Keksec threat – also known as Kek Security, Necro and FreakOut – and is linked to many botnets such as Simps and Samael.
Keksec has a history of attacking cloud infrastructure for crypto mining and DDoS exploits. Researchers have warned that EnemyBot is designed to carry out DDoS attacks.
However, a new analysis by AT&T Alien Labs notes this EnemyBot is now expanding its reach by quickly enabling exploits for recently discovered critical flaws in web servers, Android devices, and content management systems.
The latest versions of EnemyBot contain exploits for 24 security vulnerabilities in various products.
Most of these vulnerabilities are critical, but some do not have a CVE number, making it more difficult for defenders to apply protection.
AT&T Alien Labs has discovered exploits for the following security vulnerabilities in a new version:
- CVE-2022-22954: Remote code execution (RCE) problem in VMware Workspace ONE Access and VMware Identity Manager. Proof of Concept Proof (PoC) was launched last month.
- CVE-2022-1388: RCE weakness found in F5 BIG-IP, danger of swallowing device to sensitive endpoints. In May 2022, the first PoCs were discovered in the wild and intensive exploitation began almost immediately.
- CVE-2022-22947: RCE error in the spring, which was corrected in March 2022 and was strongly targeted in April 2022.
Researchers said all commands from the previous version of EnemyBot were still available, giving hackers a wide range of options when it comes to DDoS attacks.
In addition, the main source code for EnemyBot is shared on Github by someone suspected of being associated with Keksec, making it accessible to anyone who wants to use malware.
The EnemyBot code is mostly derived from Gafgyt’s source code, according to Fortinet FortiGuard Labs, although it also borrows many modules from Mirai’s original source code.
Mirai is a notorious malware for the Internet of Things and routers that has spread in various forms over the past five years. He is responsible for some of the biggest DDoS attacks ever seen.
Route of attack
When a device is infected with EnemyBot, the malware connects to the C2 server and waits for commands to be executed, says FortiGuard.
Although most instructions are related to DDoS attacks, malware is not limited to them.
EnemyBot can target a variety of architectures, including the ubiquitous x86, x64, i686, arm, arm64, darwin and bsd, as well as the rarer and obsolete ppc, m68k and spc.
The presence of such a wide attack surface is crucial for the ability of malware to spread, as it can recognize the architecture of the center point and extract the appropriate binary file from C2.
Here are some recommendations to protect against this type of threat:
• Enable automatic updates to ensure that your software is up to date in terms of security
• Monitor network activity, outbound scanning, and bandwidth overuse
• Use a properly configured firewall and keep minimal exposure of Linux servers and IoT devices on the Internet
Earlier this month, the Microsoft 365 Defender research team warned that they had found a 254% increase in the activity of hidden Linux XorDdos malware over the past six months.
The rise in activity reflects the trend of malware, which is increasingly targeting Linux-based operating systems that are widely used in cloud infrastructure and IoT devices.