The EnemyBot malware botnet has added exploits to its arsenal, allowing it to infect and spread from enterprise-grade equipment.
Worse still, EnemyBot’s main source code, minus its exploits, can be found on GitHub, so any malefactor can use the malware to start creating their own outbreaks of this nasty piece of software.
The group behind EnemyBot is Keksec, a collection of experienced developers, also known as Nero and Freakout, who have been around since 2016 and have released a number of Linux and Windows based bots capable of initiating Distributed Denial of Service (DDoS) ) attacks and possibly cryptocurrency mining. Securonix first wrote about EnemyBot in March.
A report by Fortinet’s FortiGuard Labs researchers in April found that new strains of EnemyBot abused known bugs in routers from vendors such as D-Link, NetGear, and Zyxel, and Internet of Things (IoT) devices, as well as high-profile vulnerabilities, such as Log4Shell.
Now, AT&T’s Alien Labs threat intelligence group reports that the botnet has added even more exploits, this time for two dozen vulnerabilities in VMware Workspace ONE Access, WordPress, and Adobe ColdFusion, as well as various IoT devices and Android etc These security vulnerabilities are mainly used by malware to spread from one infected machine to another.
“The threat group behind EnemyBot, Keksec, is well-resourced and has the ability to update and add new features to its malware arsenal on a daily basis,” wrote Alien Labs security researcher Ofer Caspi. in a blog post. month.
“Most of EnemyBot’s features relate to the malware’s spreading capabilities, as well as its ability to scan public assets and search for vulnerable devices. However, the malware also has DDoS capabilities and can receive commands to download and run new code (modules) of its operators that give the malware more functionality.”
This latest variant comes with a scanner that probes public devices and web servers for any of the aforementioned 24 vulnerabilities to be exploited to commandeer equipment. Among these exploits is one for a critical remote code execution (RCE) flaw (CVE-2022-22954) from April that affects VMware’s Workspace ONE Access and VMware Identity Manager.
There is also an exploit for a critical RCE flaw identified as CVE-2022-1388 affecting F5 Network’s BIG-IP wallet, which has been exploited in the wild by bad actors.
A number of vulnerabilities on EnemyBot’s list – such as the RCEs threatening Adobe ColdFusion 11 and PHP Scriptcase 9.7 – do not have a CVE number.
The owner of the EnemyBot code repository on GitHub describes himself as a “full-time malware developer” who can be used by others for contract work, according to Alien Labs. The developer says their workplace is “Kek security”, which Caspi says suggests a relationship with Keksec.
The repository includes a Python script file that retrieves dependencies and compiles the malware for various processor architectures, such as x86, Arm, PowerPC, and MIPS, and operating systems such as Linux, FreeBSD, and macOS. Once compiled, a downloader is created which, when run on a compromised device, fetches and runs the built EnemyBot executables. So the idea would be: create the malware, generate a downloader that fetches the malware once on a compromised machine, place the bot on a few victims’ devices and let it rip, scanning the internet for other systems to infect and automatically run itself out.
The core source code provides core malware functionality minus vulnerability exploits, and brings code from other botnets including Mirai, Qbot, and Zbot. Another module obfuscates the malware to help it evade detection, and another provides command and control (C&C) functionality to receive and execute commands from anyone controlling infected devices of this strain of botnet.
The malware randomly scans IP addresses, Caspi wrote. When it finds a target, EnemyBot tries to exploit it. The malware’s exploit code can be delivered as a payload from the C&C or embedded in the EnemyBot binary, it seems, though it’s missing from the public source.
If an Android device is connected via USB or if an Android emulator is running on a compromised system, the malware attempts to infect it. Once inside a hacked machine, EnemyBot will automatically scan for other vulnerable devices while waiting for commands from its C&C. He may also attempt to use the default Telnet username/password combinations to connect to a remote device.
“Keksec’s EnemyBot seems to be just starting to spread,” Caspi wrote. “However, due to the authors’ rapid updates, this botnet has the potential to become a major threat to IoT devices and web servers. The malware can quickly adopt one-day vulnerabilities (within days of publication of a proof of concept).”
The ability to scale quickly “indicates that the Keksec group has sufficient resources and has developed the malware to take advantage of vulnerabilities before they are patched, thereby increasing the speed and scale at which it can spread. “, he wrote.
This capability was alluded to by FortiGuard researchers, who wrote that “this mix of exploits targeting web servers and applications beyond typical IoT devices, coupled with the wide range of supported architectures, could be a sign that Keksec is testing the viability of expanding the botnet beyond low-resource IoT devices for more than just DDoS attacks.Based on their previous botnet operations, using them for cryptomining is a big possibility.
Alien Labs recommends that enterprises reduce exposure of Linux servers and IoT devices to the Internet, use properly configured firewalls, enable automatic updates, and monitor network traffic. ®