EnemyBot malware adds exploits for critical VMware and F5 BIG-IP flaws (31st May 2022)

Ref# AL2022_35 | Date: May 31st 2022


EnemyBot, a botnet belonging to Keksec group made up of code from a variety of malware, is rapidly increasing its reach by including exploits for previously discovered serious vulnerabilities in web servers, content management systems, IoT (Internet of Things), and Android devices. 


The botnet was first detected in March by Securonix researchers, and by April, when Fortinet released an analysis of fresh samples, EnemyBot had already integrated weaknesses for over a dozen processor architectures. 

Its primary goal is to perform distributed denial-of-service (DDoS) assaults, but it also includes modules that scan for and infect new target devices. 

How it works  

One of the first things Enemybot does is drop a file in /tmp/.pwned that contains a message claiming to be from Keksec. This message was stored as cleartext in previous samples. A newer sample was provided with the message encoded using an XOR operation with a multiple-byte key. This indicates that the malware is still being developed. 

A sample, SHA256: fec09b614d67e8933e2c09671e042ce74b40048b5f0feed49ba81a2c18d4f473, captured on March 24, 2022, has the message in cleartext: 


A sample from March 28, 2022, SHA256: 93706966361922b493d816fa6ee1347c90de49b6d59fc01c033abdd6549ac8b9, encoded the message with an XOR operation using a multi-byte key. 

Upon decoding, the message has also been changed to: 

ENEMEYBOT V3.1-ALCAPONE – hail KEKSEC, ALSO U GOT haCkED MY [REDACTED] (Your device literally has the security of a [shitty device] / [smart doorbell]). 

A List of CVE numbers for security vulnerabilities exploited and commands supported by Enemybot malware can be found at the following URL: https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers 

Enemybot has recently added exploits for the following security vulnerabilities: 

  • CVE-2022-22954: Critical (CVSS: 9.8) remote code execution flaw impacting VMware Workspace ONE Access and VMware Identity Manager. PoC (proof of concept) exploit was made available in April 2022. 

  • CVE-2022-22947: Remote code execution flaw in Spring, fixed as zero-day in March 2022, and massively targeted throughout April 2022. 

  • CVE-2022-1388: Critical (CVSS: 9.8) remote code execution flaw impacting F5 BIG-IP, threatening vulnerable endpoints with device takeover. The first PoCs appeared in the wild in May 2022, and active exploitation began almost immediately. 

RSHELL, which is used to construct a reverse shell on the infected system, stands out in the list of allowed commands by newer versions of the malware. This allows the threat actor to go through the firewall and gain access to the infected system. 

A shell command is run after a successful exploit to download another shell script from a URL. This URL is usually hardcoded, especially in Mirai-based botnets. However, in the case of Enemybot, the C2 server dynamically updates this URL using the command LDSERVER. The obvious advantage of this strategy is that the botnet administrators may simply update the bot clients with a new URL if the download server goes down for whatever reason. 

The shell script update.sh then downloads and executes the actual Enemybot binaries for each architecture it targets. 

Target Architectures 

Like most botnets, this malware infects multiple architectures to increase its chances of infecting more devices. In addition to IoT devices, Enemybot also targets desktop/server architectures such as BSD, including Darwin (macOS), and x64. 

Enemybot targets the following architectures: 

  • arm 

  • arm5 

  • arm64 

  • arm7 

  • bsd 

  • darwin 

  • i586 

  • i686 

  • m68k 

  • mips 

  • mpsl 

  • ppc 

  • ppc-440fp 

  • sh4 

  • spc 

  • x64 

  • X86 

Obfuscation Techniques 

Strings are obfuscated in a variety of ways by Enemybot: 

  • With a multi-byte key, the C2 domain employs XOR encoding. 

  • SSH brute-forcing credentials and bot killer keywords employ Mirai-style encoding, which is a single-byte XOR encoding with 0x22. 

  • A substitution cipher is used to encode commands, which involves swapping one character for another. 

  • Some strings are encoded by simply adding three to each character”s numeric value. 

While these obfuscation tactics are basic, they are effective in concealing telltale signs of its presence from casual analysis and other botnets. Most IoT botnets, like Enemybot, are known to look for such indicators to shut down other botnets on the same device. 


The following steps are recommended to safeguard against this malware: 

  • Maintain minimal exposure to the Internet on Linux servers and IoT devices and use a properly configured firewall. 

  • Enable automatic updates to ensure your software has the latest security updates. 

  • Monitor network traffic, outbound port scans, and unreasonable bandwidth usage. 

  • Patch Software products as soon as updates are available 

The Guyana National CIRT recommends that users and administrations review this alert and apply it where necessary. 

PDF Download: EnemyBot malware adds exploits for critical vulnerabilities.pdf