Recently, a new botnet was discovered named EnemyBot. Even though it was recently discovered, the botnet has already gained new capabilities. The Linux-based botnet EnemyBot can attack the web server, content management system, and Android-based targets by utilizing new vulnerabilities found on them.
Constantly improved for exploiting new vulnerabilities
The first samples of EnemyBot were found in March 2022 by Securonix. According to security analysts who investigated the botnet, EnemyBot is linked to the Keksec group. The botnet’s main purpose is to carry out distributed denial-of-service (DDoS) attacks. AT&T Alien Labs states that the botnet can exploit 24 different vulnerabilities; some of them do not even have a CVE code to track.
The botnet consists of four modules that handle all the required steps. The Phyton module downloads dependencies for different operating systems and compiles the malware. The obfuscation segment encodes and decodes the malware’s strings. The command and control module receives the targets from the threat actors and gets payloads. Finally, the botnet module that carries out the main purpose of the EnemyBot.
The variant that has been found back in April was mostly focused on routers and IoT devices; exploiting the CVE-2022-27226 and CVE-2022-25075 vulnerabilities. The most recent variant, however, can also exploit the following vulnerabilities; which are critical flaws:
- CVE-2022-22954 (CVSS: 9.8): A remote code execution vulnerability that affects VMware Workspace One Access and Identity Manager.
- CVE-2022-22947 (CVSS: 10): A remote code execution vulnerability in Spring Cloud Gateway.
- CVE-2022-1388 (CVSS: 9.8): A remote code execution vulnerability in F5 BIG-IP.
The new variant of the botnet has the capability of creating a reverse shell on the target, which allows bypassing the firewall. EnemyBot has a high potential to infect the systems since it is constantly updated to exploit new vulnerabilities quickly. Security analysts state that EnemyBot can be used for different purposes with different payloads in near future.