A new botnet is wreaking havoc on routers, IoT (Internet of Things) devices, and several types of server architectures. On April 12, FortiGuard Labs cybersecurity researchers revealed that the new Enemybot distributed denial-of-service (DDoS) botnet takes modules from the famed Mirai botnet’s source code, as well as Gafgyt’s.
In 2016, the Mirai botnet was involved in a significant DDoS attack against Dyn. In the same year, the source code for Mirai was disclosed online, and threat actors continue to use botnets based on pieces of the malicious network. The Gafgyt/Bashlite code is now available, and the new Enemybot, according to FortiGuard, uses parts from both botnets in its attacks, joining the likes of Satori, Okiru, and Masuta.
The botnet’s operator is suspected to be Keksec. Keksec, aka Necro or Freakout, is a well-known threat organization linked to DDoS attacks, cyberattacks on cloud service providers, and cryptojacking activities. According to Lacework, the threat organization is also the creator of a Tsunami DDoS malware variation known as “Ryuk,” though it shouldn’t be confused with the Ryuk ransomware family.
Enemybot was found for the first time in March 2022. The botnet uses Mirai’s scanner module and bot killer, which scans memory for running processes and eliminates any rivals that match a set of keywords. Due to its huge reliance on botnet functionality derived from Gafgyt’s core, the team has dubbed the botnet an “updated and ‘rebranded’ form of Gafgyt_tor.”
Enemybot will use tactics such as vulnerability exploitation and brute-force attacks to compromise a wide range of devices and architectures. Routers from Seowon Intech, D-Link, Netgear, and Zhone are targeted. iRZ mobile routers and misconfigured Android handsets are also targeted. Threat actors will attempt to attack both old, fixed vulnerabilities and newer security flaws like Log4j. Enemybot isn’t discriminating when it comes to architecture. Desktop and server systems based on the arm, Darwin, arm64, and BSD, among many others, are targeted.
“This mix of exploits targeting web servers and applications beyond the usual IoT devices, coupled with the wide range of supported architectures, might be a sign of Keksec testing the viability of expanding the botnet beyond low-resource IoT devices for more than just DDoS attacks,” the researchers say.
After the malware gains access to a device or server, it creates a text file containing cleartext messages, such as: “ENEMEYBOT V3.1-ALCAPONE – hail KEKSEC, ALSO U GOT haCkED MY [REDACTED] (Your device literally has the security of a [shitty device] / [smart doorbell]).”
Enemybot then captures binaries and runs a variety of DDoS-related instructions, depending on the target architecture. The malware can employ various obfuscation techniques to evade detection and conceal its presence. The botnet’s command-and-control (C2) server is located on a .onion domain that can only be accessed through the Tor network. Enemybot is currently under active development.