AT&T Alien Labs recently reported on Enemybot, an internet of things (IoT) malware targeting content management systems (CMS), Linux, and Android.
- Enemybot is an IoT malware targeting CMS, Linux, and Android.
- The malware source code is readily available on Github.
- Enemybot is continually expanding its capabilities to exploit newly discovered vulnerabilities.
- The threat actor group Keksec was observed using Enemybot.
Enemybot is a rapidly evolving IoT malware currently targeting content management systems (CMS), web servers, Linux systems, and Android devices. Services being targeted include VMWare Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase, and others. Enemybot was discovered by Securonix in March 2022 and was analyzed by Fortinet earlier this year. Aliens Labs recently analyzed Enemybot and found it has expanded its capabilities and is exploiting recently identified vulnerabilities.
The malware is highly accessible, as the base source code is available on Github. This allows anyone to use the malware. Enemybot’s Github page states the source code is derived from multiple botnets, creating a more powerful and adjustable malware. Code used includes Mirai, Qbot, and Zbot.
Enemybot’s Github repository contains four sections: cc7.py, enemy.c, hide.c, and servertor.c.
The cc7.py module is a Python script that downloads all dependencies needed for the malware and compiles the malware into different OS architectures. These include x86, ARM, macOS, OpenBSD, PowerPC, MIPS, and others. After the malware is compiled, the script creates a batch file named update.sh, which the bot uses as a downloader to spread the malware.
The file enemy.c is the main source code for the bot. It is missing the main exploitation function but otherwise includes all other malware functionality, mixing the source code of the multiple bots mentioned above.
The hide.c module is compiled and manually executed to encode and decode the malware’s strings. This allows the threat actor to hide strings in binary. The malware uses a simple swap table for this purpose.
The servertor.c module is the command and control (C2) botnet controller. The C2 is executed on a dedicated machine that is threat actor controlled. The threat actor uses the C2 to control the malware and send commands to victim machines.
The majority of Enemybot’s functionality relates to the malware’s capability to spread and scan public-facing assets to discover vulnerable devices. Enemybot also has DDoS capabilities and allows threat actors to download and execute additional modules. Enemybot enables threat actors to execute shell commands, ping the server, change the loader server for the payload, turn a sniffer on or off, create a reverse shell on a victim machine, start a DDoS attack, start or stop a scanner to scan and infect vulnerable machines, stop ongoing attacks, start a targeted attack on an ARK: Survivor Evolved server, and receive a targets list from the C2 and start a DNS attack.
According to Alien Labs, a webscan function was added to newer Enemybot variants, containing 24 exploits to attack vulnerabilities across multiple devices and web servers. Enemybot randomly scans IP addresses until it gets a response via SYN/ACK. It then scans for vulnerabilities on the remote server by executing multiple exploits. Log4j exploits CVE-2021-44228 and CVE-2021-45046 are among those used by the threat actors, and more newly discovered vulnerabilities are being added regularly. Enemybot is also targeting CMS, such as WordPress, by searching for vulnerabilities in plugins.
Additional vulnerabilities being exploited by Enemybot include the following:
- F5 BIG IP RCE (CVE-2022-1388)
- Adobe ColdFusion 11 RCE
- Liferay Portal Java Unmarshalling via JSONWS RCE (CVE-2020-796)
- PHP Scriptcase 9.7 RCE
- Zyxel NWA-1100-NH command injection (CVE-2021-4039)
- Razer Sila command injection
- Spring Cloud Gateway code injection (CVE-2022-22947)
- VMWare Workspace One RCE (CVE-2022-22954)
- Kramer VIAware RCE (CVE-2021-36356, CVE-2021-35064)
- WordPress Video Synchro PDF plugin LFI
- Dbltek GoIP LFI
- WordPress Cab Fare Calculator plugin LFI
- Archeevo 5.0 LFI
- Fuel CMS 1.4.1 RCE (CVE-2018-16763)
- F5 BIG IP RCE (CVE-2020-5902)
- ThinkPHP 5.X RCE
- Netgear DGN1000 1.1.00.48 ‘Setup.cgi’ RCE
- TOTOLink A3000RU command injection vulnerability (CVE-2022-25075)
- D-Link devices HNAP SOAPAction Header command injection vulnerability (CVE-2015-2051)
- ZHOME < S3.0.501 RCE (CVE-2014-9118)
- Zyxel P660HN unauthenticated command injection (CVE-2017-18368)
- Seowon SLR 120 router RCE (CVE-2020-17456)
- D-Link DWR command injection (CVE-2018-10823)
Enemybot is reportedly being used by the threat actor group Keksec. Keksec, active since at least 2016, has the resources and capabilities to continually update its malware. The group is known to develop botnets for both Windows and Linux systems. Some of their botnets include Tsunami, Gafgyt, DarkIRC, DarkHTTP, and Necro. The individual responsible for the Enemybot Github repository states they work at “Kek Security” and that they are available for full-time malware development and part-time contract work.
Below is a selection of PolySwarm’s Enemybot IOCs.
You can use the following CLI command to search for all Enemybot samples in our portal:
$ polyswarm link list -f Enemybot