EnemyBot, a botnet made up of code from various malware, is rapidly increasing its reach by adding exploits for recently discovered serious flaws in content management systems, web servers, IoT, and Android devices.
This botnet was initially detected in March by Securonix researchers. When Fortinet released an analysis of fresh samples by April, it had already included weaknesses for over a dozen processor architectures. Its primary goal is to perform distributed denial-of-service (DDoS) attacks, including modules that scan for and infect new target devices.
According to a recent analysis from AT&T Alien Labs, the latest EnemyBot versions have exploits for 24 flaws. Most of them are critical, but a few don’t even have a CVE number, making it more difficult for defenders to create defenses. The majority of the weaknesses in April were connected to routers and IoT devices, with CVE-2022-27226 (iRZ) and CVE-2022-25075 (TOTOLINK) being the latest and Log4Shell being the most prominent.
However, AT&T Alien Labs discovered that a new version featured vulnerabilities for the following security flaws:
- CVE-2022-22954: Critical (CVSS score of 9.8) remote code execution weakness affecting VMware Identity Manager and VMware Workspace ONE Access. PoC (proof of concept) exploit was made available in April 2022.
- CVE-2022-22947: Remote code execution flaw in Spring, resolved as zero-day in March 2022 and heavily targeted throughout April 2022.
- CVE-2022-1388: Critical (CVSS score of 9.8) remote code execution flaw affecting F5 BIG-IP, threatening vulnerable endpoints with device takeover. The first PoCs were discovered in the wild in May 2022, and active exploitation started almost immediately.
RSHELL, which is used to build a reverse shell on the infected system, stands out in the list of allowed commands by later versions of the malware. This allows the threat actor to go through the firewall and access the infected system. All of the instructions from the previous edition are still available, giving you a wide range of choices for dealing with DDoS attacks.
EnemyBot is being actively developed by Keksec, with other harmful projects under its belt, including Tsunami, Gafgyt, DarkHTTP, DarkIRC, and Necro. This looks to be a seasoned malware creator who takes extra care with the most recent project, adding new exploits as soon as they become available, frequently before system administrators can install remedies. To make matters worse, AT&T claims that the EnemyBot source code has been leaked, making it available to any enemy. This person is most likely linked with Keksec.
Patching software items as soon as updates are available and monitoring network traffic, particularly outbound connections, are two tips for defending against this danger. EnemyBot’s main objective is DDoS attacks, but additional options (e.g., cryptomining, access) should be examined, especially because the malware is gradually targeting more robust devices.