Description
EnemyBot, a botnet belonging to Keksec group made up of code from a variety of malware, is rapidly increasing its reach by including exploits for previously discovered serious vulnerabilities in web servers, content management systems, IoT (Internet of Things), and Android devices.
Summary
The botnet was first detected in March by Securonix researchers, and by April, when Fortinet released an analysis of fresh samples, EnemyBot had already integrated weaknesses for over a dozen processor architectures.
Its primary goal is to perform distributed denial-of-service (DDoS) assaults, but it also includes modules that scan for and infect new target devices.
How it works
One of the first things Enemybot does is drop a file in /tmp/.pwned that contains a message claiming to be from Keksec. This message was stored as cleartext in previous samples. A newer sample was provided with the message encoded using an XOR operation with a multiple-byte key. This indicates that the malware is still being developed.
A sample, SHA256: fec09b614d67e8933e2c09671e042ce74b40048b5f0feed49ba81a2c18d4f473, captured on March 24, 2022, has the message in cleartext:
ENEMEYBOT V3.1-ALCAPONE hail KEKSEC
A sample from March 28, 2022, SHA256: 93706966361922b493d816fa6ee1347c90de49b6d59fc01c033abdd6549ac8b9, encoded the message with an XOR operation using a multi-byte key.
Upon decoding, the message has also been changed to:
ENEMEYBOT V3.1-ALCAPONE – hail KEKSEC, ALSO U GOT haCkED MY [REDACTED] (Your device literally has the security of a [shitty device] / [smart doorbell]).
A List of CVE numbers for security vulnerabilities exploited and commands supported by Enemybot malware can be found at the following URL: https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers
Enemybot has recently added exploits for the following security vulnerabilities:
CVE-2022-22954: Critical (CVSS: 9.8) remote code execution flaw impacting VMware Workspace ONE Access and VMware Identity Manager. PoC (proof of concept) exploit was made available in April 2022.
CVE-2022-22947: Remote code execution flaw in Spring, fixed as zero-day in March 2022, and massively targeted throughout April 2022.
CVE-2022-1388: Critical (CVSS: 9.8) remote code execution flaw impacting F5 BIG-IP, threatening vulnerable endpoints with device takeover. The first PoCs appeared in the wild in May 2022, and active exploitation began almost immediately.
RSHELL, which is used to construct a reverse shell on the infected system, stands out in the list of allowed commands by newer versions of the malware. This allows the threat actor to go through the firewall and gain access to the infected system.
A shell command is run after a successful exploit to download another shell script from a URL. This URL is usually hardcoded, especially in Mirai-based botnets. However, in the case of Enemybot, the C2 server dynamically updates this URL using the command LDSERVER. The obvious advantage of this strategy is that the botnet administrators may simply update the bot clients with a new URL if the download server goes down for whatever reason.
The shell script update.sh then downloads and executes the actual Enemybot binaries for each architecture it targets.
Target Architectures
Like most botnets, this malware infects multiple architectures to increase its chances of infecting more devices. In addition to IoT devices, Enemybot also targets desktop/server architectures such as BSD, including Darwin (macOS), and x64.
Enemybot targets the following architectures:
arm
arm5
arm64
arm7
bsd
darwin
i586
i686
m68k
mips
mpsl
ppc
ppc-440fp
sh4
spc
x64
X86
Obfuscation Techniques
Strings are obfuscated in a variety of ways by Enemybot:
With a multi-byte key, the C2 domain employs XOR encoding.
SSH brute-forcing credentials and bot killer keywords employ Mirai-style encoding, which is a single-byte XOR encoding with 0x22.
A substitution cipher is used to encode commands, which involves swapping one character for another.
Some strings are encoded by simply adding three to each character”s numeric value.
While these obfuscation tactics are basic, they are effective in concealing telltale signs of its presence from casual analysis and other botnets. Most IoT botnets, like Enemybot, are known to look for such indicators to shut down other botnets on the same device.
Remediation
The following steps are recommended to safeguard against this malware:
Maintain minimal exposure to the Internet on Linux servers and IoT devices and use a properly configured firewall.
Enable automatic updates to ensure your software has the latest security updates.
Monitor network traffic, outbound port scans, and unreasonable bandwidth usage.
Patch Software products as soon as updates are available
The Guyana National CIRT recommends that users and administrations review this alert and apply it where necessary.
PDF Download: EnemyBot malware adds exploits for critical vulnerabilities.pdf
References
Toulas, Bill. (29th May 2022). EnemyBot malware adds exploits for critical VMware, F5 BIG-IP flaws. Retrieved from Bleeping Computer. https://www.bleepingcomputer.com/news/security/enemybot-malware-adds-exploits-for-critical-vmware-f5-big-ip-flaws/
Tay, Roy & Salvio, Joie. (12th April 2022). Enemybot: A look into Keksecs latest DDoS botnet. Retrieved from Fortinet. https://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet#:~:text=Enemybot%20has%20been%20seen%20targeting,once%20inside%20an%20infected%20device.
Caspi, Ofer. (26th May 2022). Rapidly evolving IoT malware EnemyBot now targeting Content Management System servers and Android devices. Retrieved from AT&T Cybersecurity. https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers