Enemybot botnet uses Gafgyt source code with a sprinkling of Mirai

Keksec malware used for DDoS attacks, may spread to cryptomining, Fortinet says


A prolific threat group known for deploying distributed denial-of-service (DDoS) and cryptomining attacks is running a new botnet that is built using the Linux-based Gafgyt source code along with some code from the Mirai botnet malware.

The group Keksec (also known as Nero and Freakout) is using the fast-evolving Enemybot to target routers from vendors like Seowon Intech and D-Link and is exploiting a remote code execution (RCE) vulnerability (CVE-2022-27226) discovered last month in iRZ mobile routers, according to a report this week by Fortinet's FortiGuard Labs team.

Keksec is using the Enemybot malware as a classic botnet, rolling up compromised Internet of Things (IoT) devices into a larger botnet that can be used to launch DDoS attacks.

However, FortiGuard researchers wrote that the bad actors may be considering extending the use of Enemybot into other areas beyond DDoS attacks, noting different samples of the code detected that add and remove exploits, leveraging the high-profile Log4j flaw and targeting a range of routers as well as Apache HTTP servers.

Enemybot, like most botnets, infects multiple architectures to improve the chances of infecting devices and, along with IoT devices, this malware also targets desktop and server architectures like BSD, macOS, Arm and x86.

"This mix of exploits targeting web servers and applications beyond the usual IoT devices, coupled with the wide range of supported architectures, might be a sign of Keksec testing the viability of expanding the botnet beyond low-resource IoT devices for more than just DDoS attacks," the researchers wrote. "Based on their previous botnet operations, using them for cryptomining is a big possibility."

Keksec is also using a range of obfuscation methods to make it more difficult for the malware to be analyzed and to hide it from other botnets. In addition, it connects to a command-and-control (C2) server hidden in the Tor network, which increases its anonymity and makes it harder to take it down, they wrote.

Once a device is compromised, Enemybot drops a file in /tmp/.pwned that contains a message pointing to Keksec as the attacker. In initial samples, the message was stored as cleartext, though a new sample released soon after included the message encoded with an XOR operation using a multi-byte key, which the FortiGuard team said indicates that the malware is still being actively developed.

Newer samples showed the malware reverting back to cleartext for the message, which may show that multiple developers are working on different versions of the codebase or who have different programming tendencies.

Enemybot is based mainly on Gafgyt – also known as Bashlite – a DDoS botnet whose source code was leaked in 2015. Keksec has developed other botnets using the Gafgyt code. However, some of the Enemybot modules – such as its scanner module – also include code from Mirai, a notorious botnet that also targets IoT devices.

Another module that shares code with Mirai is the bot killer module, which searches for running processes started from particular file paths or with specific keywords in its process memory and then terminates the processes. According to the FortiGuard researchers, Enemybot includes more than 60 keywords to identify and kill off competing malware running on the same devices.

Reports about Gafgyt malware family including Mirai code surfaced last year. In addition, the malware has several similarities to Gafgyt_tor, which makes the researchers believe that Enemybot is likely an updated and rebranded variant of Gafgyt_tor.

"In terms of spreading, Enemybot uses several methods that have also been observed in other IoT botnet campaigns," they wrote. "One way is using a list of hardcoded username/password combinations to login into devices configured with weak or default credentials. This is another module that was copied from Mirai's source code. This malware also tries to run shell commands to infect misconfigured Android devices that expose Android Debug Bridge port."

That includes targeting devices with specific vulnerabilities, including flaws in Seowon Intech SLC-130 and SLR-120s routers, a vulnerability in older D-Link routers and a more recent flaw – tracked as CVE-2022-27226 – on iRZ mobile routers that Enemybot exploited soon after it was published in March.

"After a successful exploit, a shell command is executed to download another shell script from a URL," the researchers wrote. "In most cases, particularly in Mirai-based botnets, this URL is hardcoded. In the case of Enemybot, however, this URL is dynamically updated by the C2 server via the command LDSERVER. The clear advantage of this method is that when the download server is down for whatever reason, the botnet operators can just update the bot clients with a new URL."

Once installed on a targeted device, the malware connects to the C2 server and awaits instructions that can include performing various attacks, spread to other devices, stop ongoing DDoS attacks and run shell commands.

Enemybot also obfuscates code strings in number of ways to make detection and analysis more difficult. The obfuscation techniques include credentials for SSH brute-forcing and bot-killer keywords that use Mirai-style encoding, commands encrypted with a substitute cypher – such as swapping one character for another – and encoded strings that simply add three to the numeric value of each character.

In addition, the C2 domain uses XOR encoding with the multi-byte key.

"While these obfuscation techniques are simplistic, they are sufficient to hide tell-tale indicators of its presence from casual analysis and other botnets," they wrote. "Most IoT botnets, including Enemybot, are known for searching for such indicators to terminate other botnets running on the same device." ®

Broader topics


Other stories you might like

  • Cloudflare says it thwarted record-breaking HTTPS DDoS flood
    26m requests a second? Not legit traffic, not even Bill Gates doing $1m giveaways could manage that

    Cloudflare said it this month staved off another record-breaking HTTPS-based distributed denial-of-service attack, this one significantly larger than the previous largest DDoS attack that occurred only two months ago.

    In April, the biz said it mitigated an HTTPS DDoS attack that reached a peak of 15.3 million requests-per-second (rps). The flood last week hit a peak of 26 million rps, with the target being the website of a company using Cloudflare's free plan, according to Omer Yoachimik, product manager at Cloudflare.

    Like the attack in April, the most recent one not only was unusual because of its size, but also because it involved using junk HTTPS requests to overwhelm a website, preventing it from servicing legit visitors and thus effectively falling off the 'net.

    Continue reading
  • International operation takes down Russian RSOCKS botnet
    $200 a day buys you 90,000 victims

    A Russian operated botnet known as RSOCKS has been shut down by the US Department of Justice acting with law enforcement partners in Germany, the Netherlands and the UK. It is believed to have compromised millions of computers and other devices around the globe.

    The RSOCKS botnet functioned as an IP proxy service, but instead of offering legitimate IP addresses leased from internet service providers, it was providing criminals with access to the IP addresses of devices that had been compromised by malware, according to a statement from the US Attorney’s Office in the Southern District of California.

    It seems that RSOCKS initially targeted a variety of Internet of Things (IoT) devices, such as industrial control systems, routers, audio/video streaming devices and various internet connected appliances, before expanding into other endpoints such as Android devices and computer systems.

    Continue reading
  • EnemyBot malware adds enterprise flaws to exploit arsenal
    Fast-evolving botnet targets critical VMware, F5 BIG-IP bugs, we're told

    The botnet malware EnemyBot has added exploits to its arsenal, allowing it to infect and spread from enterprise-grade gear.

    What's worse, EnemyBot's core source code, minus its exploits, can be found on GitHub, so any miscreant can use the malware to start crafting their own outbreaks of this software nasty.

    The group behind EnemyBot is Keksec, a collection of experienced developers, also known as Nero and Freakout, that have been around since 2016 and have launched a number of Linux- and Windows-based bots capable of launching distributed denial-of-service (DDoS) attacks and possibly mining cryptocurrency. Securonix first wrote about EnemyBot in March.

    Continue reading
  • Why Wi-Fi 6 and 6E will connect factories of the future
    Tech body pushes reliability, cost savings of next-gen wireless comms for IIoT – not a typo

    Wi-Fi 6 and 6E are being promoted as technologies for enabling industrial automation and the Industrial Internet of Things (IIoT) thanks to features that provide more reliable communications and reduced costs compared with wired network alternatives, at least according to the Wireless Broadband Alliance (WBA).

    The WBA’s Wi-Fi 6/6E for IIoT working group, led by Cisco, Deutsche Telekom, and Intel, has pulled together ideas on the future of networked devices in factories and written it all up in a “Wi-Fi 6/6E for Industrial IoT: Enabling Wi-Fi Determinism in an IoT World” manifesto.

    The detailed whitepaper makes the case that wireless communications has become the preferred way to network sensors as part of IIoT deployments because it's faster and cheaper than fiber or copper infrastructure. The alliance is a collection of technology companies and service providers that work together on developing standards, coming up with certifications and guidelines, advocating for stuff that they want, and so on.

    Continue reading
  • Man gets two years in prison for selling 200,000 DDoS hits
    Over 2,000 customers with malice on their minds

    A 33-year-old Illinois man has been sentenced to two years in prison for running websites that paying customers used to launch more than 200,000 distributed denial-of-services (DDoS) attacks.

    A US California Central District jury found the Prairie State's Matthew Gatrel guilty of one count each of conspiracy to commit wire fraud, unauthorized impairment of a protected computer and conspiracy to commit unauthorized impairment of a protected computer. He was initially charged in 2018 after the Feds shut down 15 websites offering DDoS for hire.

    Gatrel, was convicted of owning and operating two websites – DownThem.org and AmpNode.com – that sold DDoS attacks. The FBI said that DownThem sold subscriptions that allowed the more than 2,000 customers to run the attacks while AmpNode provided customers with the server hosting. AmpNode spoofed servers that could be pre-configured with DDoS attack scripts and attack amplifiers to launch simultaneous attacks on victims.

    Continue reading
  • AMD refreshes Ryzen Embedded line with R2000 series
    The target? Thin clients and industrial devices – with new SoC family running up to 4 independent displays

    Embedded World AMD is bringing to market a new generation of Ryzen chips for embedded apps promising more CPU cores, enhanced built-in graphics and expanded I/O connectivity to drive kit such as IoT devices and thin clients.

    Crucially, AMD plans to make the R2000 Series available for up to 10 years, providing OEM customers with a long-lifecycle support roadmap. This is an important aspect for components in embedded systems, which may be operating in situ for longer periods than the typical three to five-year lifecycle of corporate laptops and servers.

    The Ryzen Embedded R2000 Series is AMD's second-generation of mid-range system-on-chip (SoC) processors that combine CPU cores plus Radeon graphics, and target a range of embedded systems such as industrial and robotic hardware, machine vision, IoT and thin client devices. The first, R1000, came out in 2019.

    Continue reading

Biting the hand that feeds IT © 1998–2022