Executive Summary
AT&T Alien Labs recently reported on Enemybot, an internet of things (IoT) malware targeting content management systems (CMS), Linux, and Android.
Key Takeaways
- Enemybot is an IoT malware targeting CMS, Linux, and Android.
- The malware source code is readily available on Github.
- Enemybot is continually expanding its capabilities to exploit newly discovered vulnerabilities.
- The threat actor group Keksec was observed using Enemybot.
Enemybot is a rapidly evolving IoT malware currently targeting content management systems (CMS), web servers, Linux systems, and Android devices. Services being targeted include VMWare Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase, and others. Enemybot was discovered by Securonix in March 2022 and was analyzed by Fortinet earlier this year. Aliens Labs recently analyzed Enemybot and found it has expanded its capabilities and is exploiting recently identified vulnerabilities.
The malware is highly accessible, as the base source code is available on Github. This allows anyone to use the malware. Enemybot’s Github page states the source code is derived from multiple botnets, creating a more powerful and adjustable malware. Code used includes Mirai, Qbot, and Zbot.
Enemybot’s Github repository contains four sections: cc7.py, enemy.c, hide.c, and servertor.c.
cc7.py
The cc7.py module is a Python script that downloads all dependencies needed for the malware and compiles the malware into different OS architectures. These include x86, ARM, macOS, OpenBSD, PowerPC, MIPS, and others. After the malware is compiled, the script creates a batch file named update.sh, which the bot uses as a downloader to spread the malware.
enemy.c
The file enemy.c is the main source code for the bot. It is missing the main exploitation function but otherwise includes all other malware functionality, mixing the source code of the multiple bots mentioned above.
hide.c
The hide.c module is compiled and manually executed to encode and decode the malware’s strings. This allows the threat actor to hide strings in binary. The malware uses a simple swap table for this purpose.
servertor.c
The servertor.c module is the command and control (C2) botnet controller. The C2 is executed on a dedicated machine that is threat actor controlled. The threat actor uses the C2 to control the malware and send commands to victim machines.
The majority of Enemybot’s functionality relates to the malware’s capability to spread and scan public-facing assets to discover vulnerable devices. Enemybot also has DDoS capabilities and allows threat actors to download and execute additional modules. Enemybot enables threat actors to execute shell commands, ping the server, change the loader server for the payload, turn a sniffer on or off, create a reverse shell on a victim machine, start a DDoS attack, start or stop a scanner to scan and infect vulnerable machines, stop ongoing attacks, start a targeted attack on an ARK: Survivor Evolved server, and receive a targets list from the C2 and start a DNS attack.
According to Alien Labs, a webscan function was added to newer Enemybot variants, containing 24 exploits to attack vulnerabilities across multiple devices and web servers. Enemybot randomly scans IP addresses until it gets a response via SYN/ACK. It then scans for vulnerabilities on the remote server by executing multiple exploits. Log4j exploits CVE-2021-44228 and CVE-2021-45046 are among those used by the threat actors, and more newly discovered vulnerabilities are being added regularly. Enemybot is also targeting CMS, such as WordPress, by searching for vulnerabilities in plugins.
Additional vulnerabilities being exploited by Enemybot include the following:
- F5 BIG IP RCE (CVE-2022-1388)
- Adobe ColdFusion 11 RCE
- Liferay Portal Java Unmarshalling via JSONWS RCE (CVE-2020-796)
- PHP Scriptcase 9.7 RCE
- Zyxel NWA-1100-NH command injection (CVE-2021-4039)
- Razer Sila command injection
- Spring Cloud Gateway code injection (CVE-2022-22947)
- VMWare Workspace One RCE (CVE-2022-22954)
- Kramer VIAware RCE (CVE-2021-36356, CVE-2021-35064)
- WordPress Video Synchro PDF plugin LFI
- Dbltek GoIP LFI
- WordPress Cab Fare Calculator plugin LFI
- Archeevo 5.0 LFI
- Fuel CMS 1.4.1 RCE (CVE-2018-16763)
- F5 BIG IP RCE (CVE-2020-5902)
- ThinkPHP 5.X RCE
- Netgear DGN1000 1.1.00.48 ‘Setup.cgi’ RCE
- TOTOLink A3000RU command injection vulnerability (CVE-2022-25075)
- D-Link devices HNAP SOAPAction Header command injection vulnerability (CVE-2015-2051)
- ZHOME < S3.0.501 RCE (CVE-2014-9118)
- Zyxel P660HN unauthenticated command injection (CVE-2017-18368)
- Seowon SLR 120 router RCE (CVE-2020-17456)
- D-Link DWR command injection (CVE-2018-10823)
Enemybot is reportedly being used by the threat actor group Keksec. Keksec, active since at least 2016, has the resources and capabilities to continually update its malware. The group is known to develop botnets for both Windows and Linux systems. Some of their botnets include Tsunami, Gafgyt, DarkIRC, DarkHTTP, and Necro. The individual responsible for the Enemybot Github repository states they work at “Kek Security” and that they are available for full-time malware development and part-time contract work.
IOCs
Below is a selection of PolySwarm’s Enemybot IOCs.
00bc1ce81f79089670a7d2956df112ff29ee86d51ecad0d7fb5012d54cbfaf4a
01c758742f333d897b6d6fead725d91841f8a17bed6fb7fcc1226d7bd9a70c12
5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9
B11676e7e98d54c983b87a6e69054e70670169bdba0bf440eafcf06267b485b3
C1566f52e2f69008aa9afd6ea9a82972bdf2a51d90a7a85842858134ea74de40
F97d74ac49a75219ac40e8612a0ec0a829ed9daac2d913221115562c219c99b7
Cadac6b80362ccc22e5f25ec1c57c43d66c893539306193a271ad78afa7d47c0
B3f05948bdcff16464125fbb87bd6dab3b55510b8ed093abb37a7ba2b7e78297
8f8f61f95649f523e12533051dd55dd0d4da84da56873cb544dd12f01ea81ee0
You can use the following CLI command to search for all Enemybot samples in our portal:
$ polyswarm link list -f Enemybot
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports