EnemyBot Malware Targets Web Servers

Uploaded on 2022-07-01 in FREE TO VIEW

An Internet of Things, botnet malware EnemyBot, has added exploits to its capability, allowing it to infect and spread from enterprise-grade equipment. EnemyBot's core source code can be found on GitHub and that means that any competent cyber criminal can use the malware to start crafting their own attacks

Cyber security researchers at Alien Labs have now released a warning about the EnemyBot malware, which  uses code from botnets including as Mirai, Qbot, and Zbot. The rapidly evolving tool functions as IoT malware and targets content management systems (CMS) web servers and Android devices.

The group behind EnemyBot is Keksec, a collection of experienced developers, also known as Nero and Freakout, that have been around since 2016 and have launched a number of Linux- and Windows-based bots capable of launching distributed denial-of-service (DDoS) attacks and possibly mining crypto-currency.

Keksec is using the fast-evolving Enemybot to target routers from vendors like Seowon Intech and D-Link and is exploiting a remote code execution (RCE) vulnerability discovered recently in iRZ mobile routers.

Alien Labs released a post regarding the bot, stating that is has targeted popular services such as VMware Workspace, Adobe ColdFusion, WordPress, PHP Scriptcase and others. The post says that the Keksec group distributes the malware by specifically targeting IoT devices and Linux machines. The EnemyBot is not the only botnet in Keksec’s arsenal, as the group dates back to 2016 and has deployed many similar tools.

Keksec is using a mix of recent, so-called "one-day" bugs, as well as older known issues, looking to take advantage in lags in patching.

  • The first section is a python script ‘cc7.py’, used to download all dependencies and compile the malware into different OS architectures (x86, ARM, macOS, OpenBSD, PowerPC, MIPS). After compilation, a batch file “update.sh” is created and used to spread the malware to vulnerable targets.
  • The second section is the main botnet source code, which includes all the other functionality of the malware excluding the main part and incorporates source codes of the various botnets that can combine to perform an attack.
  • The third module is obfuscation segment “hide.c” and is compiled and executed manually to encode /decode the malware strings. A simple swap table is used to hide strings and “each char is replaced with a corresponding char in the table” according to researchers.
  • The last segment includes a command-and-control (CC) component to receive vital actions and payloads from attackers.

The Alien Lab research team has reported that there are four main sections of the malware, including the main source code and functionality of the malware as well as a python script used to download dependencies and compile the malware into different architectures. 

Alien Labs recommends that users deploy a strong and properly configured firewall and reduce Linux and IoT devices’ exposure to the Internet.

Alien Labs:      Threatpost:       Oodaloop:     The Register:    Dark Reading:   The Hacker News

You Might Also Read: 

A New IoT Botnet Storm Is Coming:

 

 

« Global Cyber Security Insurance Market Will Grow To $61.2B
US Military Hackers At Work Supporting Ukraine »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

See how to use next-generation firewalls (NGFWs) and how they boost your security posture.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Lockton

Lockton

Lockton is the world’s largest privately owned insurance brokerage firm. Commercial services include Cyber Risk insurance.

CyberInt

CyberInt

CyberInt’s Managed Detection and Response services span globally and include some of the top finance, retail and telecommunication organizations.

Prevalent

Prevalent

Prevalent takes the pain out of third-party risk management. Companies use our services to eliminate the security and compliance exposures that come from working with vendors and suppliers.

GeoLang

GeoLang

GeoLang’s Ascema platform protects sensitive information at the content level by identifying, classifying and tracking data across the corporate infrastructure.

CyberGuarded

CyberGuarded

CyberGuarded are an accredited vendor independent information security testing and auditing company.

Culinda

Culinda

Culinda secures medical IoT devices in hospitals with An Artificial Intelligence platform and security gateway.

4Stop

4Stop

4Stop is a global KYC, compliance and anti-fraud risk management company.

FifthDomain

FifthDomain

We are a specialist cyber security education and training company tackling the global cyber security skills shortage.

Cord3

Cord3

Cord3 delivers data protection, even from trusted administrators – or hackers posing as administrators – with high privilege.

Falcongaze

Falcongaze

Falcongaze SecureTower is a comprehensive DLP solution for the protection of business against internal threats.

Pelta Cyber Security

Pelta Cyber Security

Pelta Cyber Security is the cyber security consulting and solutions division of Softworld Inc. We provide staffing and recruitment services as well as consulting and solutions for outsourced projects.

Phronesis Security

Phronesis Security

Phronesis Security is committed to delivering world-class cyber security consulting with a tangible social and environmental impact.

Slamm Technologies

Slamm Technologies

Slamm Technologies is a trusted IT firm that offers Cyber Security Support, Corporate IT Solutions and Professional IT Training courses with international certification.

Block Harbor Cybersecurity

Block Harbor Cybersecurity

Block Harbor has worked closely with automakers, suppliers, and regulators since 2014 on vehicle cybersecurity.

Entech

Entech

Entech is a managed IT service provider. We work behind the scenes on your network to ensure data security and integrity.

Accelerynt

Accelerynt

Accelerynt was founded with a singular purpose: help teams like yours build cybersecurity resilience.