EnemyBot Malware Targets Web Servers

An Internet of Things, botnet malware EnemyBot, has added exploits to its capability, allowing it to infect and spread from enterprise-grade equipment. EnemyBot's core source code can be found on GitHub and that means that any competent cyber criminal can use the malware to start crafting their own attacks

Cyber security researchers at Alien Labs have now released a warning about the EnemyBot malware, which  uses code from botnets including as Mirai, Qbot, and Zbot. The rapidly evolving tool functions as IoT malware and targets content management systems (CMS) web servers and Android devices.

The group behind EnemyBot is Keksec, a collection of experienced developers, also known as Nero and Freakout, that have been around since 2016 and have launched a number of Linux- and Windows-based bots capable of launching distributed denial-of-service (DDoS) attacks and possibly mining crypto-currency.

Keksec is using the fast-evolving Enemybot to target routers from vendors like Seowon Intech and D-Link and is exploiting a remote code execution (RCE) vulnerability discovered recently in iRZ mobile routers.

Alien Labs released a post regarding the bot, stating that is has targeted popular services such as VMware Workspace, Adobe ColdFusion, WordPress, PHP Scriptcase and others. The post says that the Keksec group distributes the malware by specifically targeting IoT devices and Linux machines. The EnemyBot is not the only botnet in Keksec’s arsenal, as the group dates back to 2016 and has deployed many similar tools.

Keksec is using a mix of recent, so-called "one-day" bugs, as well as older known issues, looking to take advantage in lags in patching.

  • The first section is a python script ‘cc7.py’, used to download all dependencies and compile the malware into different OS architectures (x86, ARM, macOS, OpenBSD, PowerPC, MIPS). After compilation, a batch file “update.sh” is created and used to spread the malware to vulnerable targets.
  • The second section is the main botnet source code, which includes all the other functionality of the malware excluding the main part and incorporates source codes of the various botnets that can combine to perform an attack.
  • The third module is obfuscation segment “hide.c” and is compiled and executed manually to encode /decode the malware strings. A simple swap table is used to hide strings and “each char is replaced with a corresponding char in the table” according to researchers.
  • The last segment includes a command-and-control (CC) component to receive vital actions and payloads from attackers.

The Alien Lab research team has reported that there are four main sections of the malware, including the main source code and functionality of the malware as well as a python script used to download dependencies and compile the malware into different architectures. 

Alien Labs recommends that users deploy a strong and properly configured firewall and reduce Linux and IoT devices’ exposure to the Internet.

Alien Labs:      Threatpost:       Oodaloop:     The Register:    Dark Reading:   The Hacker News

You Might Also Read: 

A New IoT Botnet Storm Is Coming:

 

 

« Global Cyber Security Insurance Market Will Grow To $61.2B
US Military Hackers At Work Supporting Ukraine »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Information Risk Management (IRM)

Information Risk Management (IRM)

IRM is an international consultancy dedicated to helping organisations solve key business issues. We provide strategic cyber security advice across a wide range of sectors.

NetMotion Software

NetMotion Software

NetMotion Software specializes in mobile performance management solutions to manage, secure and support the mobile enterprise.

SecurePay

SecurePay

SecurePay is Australia's premier payment gateway, with a range of secure online payment solutions for online retailers, SMEs and enterprise businesses.

SecureDevice

SecureDevice

SecureDevice is a Danish IT Security company.

Cyberkov

Cyberkov

Cyberkov services include Pentesting, Vulnerability Assessments, Digital Forensics, Incident Response, Source Code Analysis and Security Training.

Ntrepid

Ntrepid

Ntrepid products provide protection from web threats and enable organizations to safely conduct their online activities.

Garrison Technology

Garrison Technology

Garrison SAVI® is a unique technology for secure remote browsing that can dramatically change the risk profile for enterprise cyber security.

Cyber Risk Opportunities

Cyber Risk Opportunities

Cyber Risk Opportunities was formed to enable middle-market executives to become more proficient cyber risk managers so their organizations can thrive.

ZeroNorth

ZeroNorth

ZeroNorth provides a new approach to improve software and infrastructure security, simplify continuous compliance reporting and to create more cost-effective risk management programs.

e-End

e-End

e-End provides hard drive shredding, degaussing and data destruction solutions validated by the highest electronic certifcations to keep you compliant with GLB, SOX, FACTA, FISMA, HIPAA, COPPA, ITAR.

CyPhyCon

CyPhyCon

CyPhyCon is an annual event exploring threats and solutions to cyber attacks on cyber-physical systems such as industrial control systems, Internet of Things and Industrial Internet of Things.

Scythe

Scythe

SCYTHE is a next generation red team platform for continuous and realistic enterprise risk assessments.

Penten

Penten

Penten is an Australian-based cyber security company focused on innovation in secure mobility and applied AI (artificial intelligence).

Luxembourg House of Financial Technology (LHoFT)

Luxembourg House of Financial Technology (LHoFT)

Offering start-up incubation, co-working spaces including a soft-landing platform, the LHoFT connects and creates value for the entire Luxembourg FinTech ecosystem.

BCyber

BCyber

BCyber is a Swiss Cyber Security company that provides security products, training, and managed services to protect diverse IT and OT environments against cyber, physical, and cyber-physical threats.

Sec3

Sec3

Sec3 is a security and research firm providing bespoke audits and cutting edge tools to Web3 projects.