EnemyBot Malware Targets Web Servers

Uploaded on 2022-07-01 in FREE TO VIEW

An Internet of Things, botnet malware EnemyBot, has added exploits to its capability, allowing it to infect and spread from enterprise-grade equipment. EnemyBot's core source code can be found on GitHub and that means that any competent cyber criminal can use the malware to start crafting their own attacks

Cyber security researchers at Alien Labs have now released a warning about the EnemyBot malware, which  uses code from botnets including as Mirai, Qbot, and Zbot. The rapidly evolving tool functions as IoT malware and targets content management systems (CMS) web servers and Android devices.

The group behind EnemyBot is Keksec, a collection of experienced developers, also known as Nero and Freakout, that have been around since 2016 and have launched a number of Linux- and Windows-based bots capable of launching distributed denial-of-service (DDoS) attacks and possibly mining crypto-currency.

Keksec is using the fast-evolving Enemybot to target routers from vendors like Seowon Intech and D-Link and is exploiting a remote code execution (RCE) vulnerability discovered recently in iRZ mobile routers.

Alien Labs released a post regarding the bot, stating that is has targeted popular services such as VMware Workspace, Adobe ColdFusion, WordPress, PHP Scriptcase and others. The post says that the Keksec group distributes the malware by specifically targeting IoT devices and Linux machines. The EnemyBot is not the only botnet in Keksec’s arsenal, as the group dates back to 2016 and has deployed many similar tools.

Keksec is using a mix of recent, so-called "one-day" bugs, as well as older known issues, looking to take advantage in lags in patching.

  • The first section is a python script ‘cc7.py’, used to download all dependencies and compile the malware into different OS architectures (x86, ARM, macOS, OpenBSD, PowerPC, MIPS). After compilation, a batch file “update.sh” is created and used to spread the malware to vulnerable targets.
  • The second section is the main botnet source code, which includes all the other functionality of the malware excluding the main part and incorporates source codes of the various botnets that can combine to perform an attack.
  • The third module is obfuscation segment “hide.c” and is compiled and executed manually to encode /decode the malware strings. A simple swap table is used to hide strings and “each char is replaced with a corresponding char in the table” according to researchers.
  • The last segment includes a command-and-control (CC) component to receive vital actions and payloads from attackers.

The Alien Lab research team has reported that there are four main sections of the malware, including the main source code and functionality of the malware as well as a python script used to download dependencies and compile the malware into different architectures. 

Alien Labs recommends that users deploy a strong and properly configured firewall and reduce Linux and IoT devices’ exposure to the Internet.

Alien Labs:      Threatpost:       Oodaloop:     The Register:    Dark Reading:   The Hacker News

You Might Also Read: 

A New IoT Botnet Storm Is Coming:

 

 

« Global Cyber Security Insurance Market Will Grow To $61.2B
US Military Hackers At Work Supporting Ukraine »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Micro Systemation AB (MSAB)

Micro Systemation AB (MSAB)

MSAB is a leader in the provision of forensically secure tools for the extraction and analysis of data from mobile devices.

ProPay

ProPay

ProPay provides secure payment solutions for organizations ranging from small businesses to large enterprises requiring complex payment solutions.

Global Station for Big Data & Cybersecurity (GSB)

Global Station for Big Data & Cybersecurity (GSB)

GSB is an interdisciplinary research hub to cover big data, information networks, and cybersecurity.

Industrial Cyber-Physical Systems Center (iCyPhy)

Industrial Cyber-Physical Systems Center (iCyPhy)

The goal of iCyPhy is to conduct pre-competitive research on architectures and design, modeling, and analysis techniques for cyber-physical systems.

Sage Designs

Sage Designs

Sage Designs is a provider of SCADA, Security & Industrial Automation products and training programs.

Johnson Controls International

Johnson Controls International

Johnson Controls is a global diversified technology company with a focus on smart cities, energy, infrastructure and transportation including the security of automation and control systems.

CyberStream

CyberStream

CyberStream, a division of the TechStream Group, is an information & cybersecurity talent acquisition solution provider.

HumanFirewall

HumanFirewall

HumanFirewall makes it possible for every individual to take part in securing their organisation. With HumanFirewall, achieving security has never been easier.

RCMP National Cybercrime Coordination Unit (NC3)

RCMP National Cybercrime Coordination Unit (NC3)

As set out in the Government of Canada's National Cyber Security Strategy, the RCMP has established the National Cybercrime Coordination Unit (NC3).

BAI Security

BAI Security

BAI Security is a Nationally Recognized Leader in IT Security. Keeping your data safe and your business compliant is our singular focus.

Information Systems Security Association (ISSA)

Information Systems Security Association (ISSA)

ISSA is the community of choice for international cybersecurity professionals dedicated to advancing individual growth, managing technology risk and protecting critical information and infrastructure.

Filigran

Filigran

Filigran provides threat intelligence, adversary simulation and crisis response open solutions to thousands of cybersecurity and crisis management teams across the world.

Securitybricks

Securitybricks

Securitybricks specialize in cloud security and compliance. Our mission is to automate regulatory compliance backed by human validation.

Southern Cyber

Southern Cyber

At Southern Cyber, our mission is to deliver world-class information security solutions that align businesses with leading security frameworks and compliance standards.

Maximus

Maximus

Maximus is a trusted service delivery partner and architect of government technology solutions, we empower communities by ensuring seamless and equitable access to government services.

Tototheo Global

Tototheo Global

Tototheo Global harness the power of connectivity and technology to bridge technological divides, driving progress, security, and sustainability for a seamlessly connected world.