EnemyBot malware adds enterprise flaws to exploit arsenal

Fast-evolving botnet targets critical VMware, F5 BIG-IP bugs, we're told


The botnet malware EnemyBot has added exploits to its arsenal, allowing it to infect and spread from enterprise-grade gear.

What's worse, EnemyBot's core source code, minus its exploits, can be found on GitHub, so any miscreant can use the malware to start crafting their own outbreaks of this software nasty.

The group behind EnemyBot is Keksec, a collection of experienced developers, also known as Nero and Freakout, that have been around since 2016 and have launched a number of Linux- and Windows-based bots capable of launching distributed denial-of-service (DDoS) attacks and possibly mining cryptocurrency. Securonix first wrote about EnemyBot in March.

A report by Fortinet's FortiGuard Labs researchers in April found that newer strains of EnemyBot abused known bugs in routers from vendors including D-Link, NetGear, and Zyxel, and Internet of Things (IoT) devices, as well as high-profile vulnerabilities, such as Log4Shell.

Now AT&T's Alien Labs threat intelligence group reports that the botnet has added even more exploits, this time for two dozen vulnerabilities in VMware Workspace ONE Access, WordPress, and Adobe ColdFusion, plus various IoT and Android devices, and so on. These security holes are mostly used by the malware to spread from infected machine to machine.

"The threat group behind EnemyBot, Keksec, is well-resourced and has the ability to update and add new capabilities to its arsenal of malware on a daily basis," Ofer Caspi, a security researcher with Alien Labs, wrote in a blog post this month.

"Most of EnemyBot functionality relates to the malware's spreading capabilities, as well as its ability to scan public-facing assets and look for vulnerable devices. However, the malware also has DDoS capabilities and can receive commands to download and execute new code (modules) from its operators that give the malware more functionality."

This latest variant comes with a scanner that probes public-facing devices and web servers for any one of the aforementioned 24 vulnerabilities to exploit to commandeer equipment. Among these exploits is one for a critical remote code execution (RCE) flaw (CVE-2022-22954) from April that affects VMware's Workspace ONE Access and VMware Identity Manager.

There is also an exploit for a critical RCE flaw tracked as CVE-2022-1388 that impacts F5 Network's BIG-IP portfolio, which has been exploited in the wild by bad actors.

A number of the vulnerabilities on EnemyBot's list – such as RCEs threatening Adobe ColdFusion 11 and PHP Scriptcase 9.7 – don't have a CVE number.

Full time

The owner of the EnemyBot code repository on GitHub describes themselves as a "full time malware dev" who can be tapped up by others for contract work, according to Alien Labs. The developer says their workplace is "Kek security," which Caspi says suggests a relationship with Keksec.

The repo includes a Python script file that fetches dependencies and compiles the malware for various processor architectures, such as x86, Arm, PowerPC, and MIPS, and operating systems including Linux, FreeBSD, and macOS. Once compiled, a downloader is created that, when run on a compromised device, fetches and runs built EnemyBot executables. So, the idea would be: build the malware, generate a downloader that fetches the malware once on a compromised machine, get the bot onto a few victims' devices, and let it rip, scanning the internet for more systems to automatically infect and run itself on.

The main source code provides the core functionality of the malware minus the vulnerability exploits, and brings in code from other botnets, including Mirai, Qbot, and Zbot. Another module obfuscates the malware to help it evade detection, and another provides command-and-control (C&C) functionality to receive and run commands from whoever's controlling that botnet strain's infected devices.

The malware randomly scans IP addresses, Caspi wrote. When it finds a target, EnemyBot tries to exploit it. The software nasty's exploit code can be supplied as a payload from the C&C or built into the EnemyBot binary, it seems, though it's missing from the public source.

If an Android device is connected via USB or there is an Android emulator running on a compromised system, the malware tries to infect it. Once inside a hijacked machine, EnemyBot will automatically scan for additional vulnerable devices while also awaiting commands from its C&C. It can also attempt to use default Telnet username-and-password combinations to log into remote equipment.

"Keksec's EnemyBot appears to be just starting to spread," Caspi wrote. "However due to the authors' rapid updates, this botnet has the potential to become a major threat for IoT devices and web servers. The malware can quickly adopt one-day vulnerabilities (within days of a published proof of concept)."

The ability to rapidly evolve "indicates that the Keksec group is well resourced and that the group has developed the malware to take advantage of vulnerabilities before they are patched, thus increasing the speed and scale at which it can spread," he wrote.

That ability was alluded to by FortiGuard researchers, who wrote that "this mix of exploits targeting web servers and applications beyond the usual IoT devices, coupled with the wide range of supported architectures, might be a sign of Keksec testing the viability of expanding the botnet beyond low-resource IoT devices for more than just DDoS attacks. Based on their previous botnet operations, using them for cryptomining is a big possibility."

Alien Labs recommends enterprises reduce the exposure of Linux servers and IoT devices to the internet, use properly configured firewalls, enable automatic updates, and monitor network traffic. ®


Other stories you might like

  • HelloXD ransomware bulked up with better encryption, nastier payload
    Russian-based group doubles the extortion by exfiltrating the corporate data before encrypting it.

    Windows and Linux systems are coming under attack by new variants of the HelloXD ransomware that includes stronger encryption, improved obfuscation and an additional payload that enables threat groups to modify compromised systems, exfiltrate files and execute commands.

    The new capabilities make the ransomware, first detected in November 2021 - and the developer behind it even more dangerous - according to researchers with Palo Alto Networks' Unit 42 threat intelligence group. Unit 42 said the HelloXD ransomware family is in its initial stages but it's working to track down the author.

    "While the ransomware functionality is nothing new, during our research, following the lines, we found out the ransomware is most likely developed by a threat actor named x4k," the researchers wrote in a blog post.

    Continue reading
  • Leading Arch Linux derivative Manjaro puts out version 21.3
    A simpler, easier remix sounds like a good thing, but glitches like these shouldn't be in a point release

    Version 21.3 of Manjaro - codenamed "Ruah" - is here, with kernel 5.15, but don't let its beginner-friendly billing fool you: you will need a clue with this one.

    Manjaro Linux is one of the more popular Arch Linux derivatives, and the new version 21.3 is the latest update to version 21, released in 2021. There are three official variants, with GNOME 42.2, KDE 5.24.5 or Xfce 4.16 desktops, plus community builds with Budgie, Cinnamon, MATE, a choice of tiling window managers (i3 or Sway), plus a Docker image.

    The Reg took its latest look at Arch Linux a few months ago. Arch is one of the older rolling-release distros, and it's also famously rather minimal. The installation process isn't trivial: it's driven from the command line, and the user does a lot of the hard work, manually partitioning disks and so on.

    Continue reading
  • Old-school editor Vim hits version 9 with faster scripting language
    All of the famed user-friendliness and ease of use – and 'drastically' better performance

    Old-school editor fans, rejoice: some two and a half years after version 8.2, Vim 9 is here, and with a much faster scripting language.

    Vim 9 has only a single big new feature: a new scripting language, Vim9script. The goal is to "drastically" improve the performance of Vim scripts, while also bringing the scripting language more into line with widely used languages such as JavaScript, TypeScript, and Java.

    The existing scripting language, Vimscript, remains and will still work. Only scripts beginning with the line vim9script will be handled differently. The syntax changes are relatively modest; the important differences are in things like local versus global variables and functions, and that functions defined with :def will be compiled before they are run. This allows many errors to be caught in advance, but more significantly, compiled functions execute from 10× to 1000× faster.

    Continue reading
  • International operation takes down Russian RSOCKS botnet
    $200 a day buys you 90,000 victims

    A Russian operated botnet known as RSOCKS has been shut down by the US Department of Justice acting with law enforcement partners in Germany, the Netherlands and the UK. It is believed to have compromised millions of computers and other devices around the globe.

    The RSOCKS botnet functioned as an IP proxy service, but instead of offering legitimate IP addresses leased from internet service providers, it was providing criminals with access to the IP addresses of devices that had been compromised by malware, according to a statement from the US Attorney’s Office in the Southern District of California.

    It seems that RSOCKS initially targeted a variety of Internet of Things (IoT) devices, such as industrial control systems, routers, audio/video streaming devices and various internet connected appliances, before expanding into other endpoints such as Android devices and computer systems.

    Continue reading

Biting the hand that feeds IT © 1998–2022