Malware analysis

Dangerous IoT EnemyBot botnet is now attacking other targets

Pedro Tavares
August 24, 2022 by
Pedro Tavares

EnemyBot is a dangerous IoT botnet that has made headlines in the last few weeks. This threat, which seems to be disseminated by the Keksec group, expanded its features by adding recent vulnerabilities discovered in 2022. It was designed to attack web servers, Android devices and content management systems (CMS) servers.

Because the malware source code is available on GitHub (Figure 1 below), criminals can reuse the code-base to implement their own versions, improving it with new capabilities and making it stealthier.

Figure 1: EnemyBot source code is available on GitHub.

EnemyBot is malware created by combining and modifying the source code of Miray and Gafgyt. By analyzing both threats' “scanning” features, you can see that the code similarities are obvious.

Figure 2: Code similarities between Mirai and Enemybot (source)

Multi-architecture threat and obfuscation layer

Like Mirai, EnemyBot can infect several architectures, targeting desktop and server architectures, including BSD, macOS and x64.

Here’s the list of architectures targeted by EnemyBot:

arm

arm5

arm64

arm7

bsd

darwin

i586

i686

m68k

mips

mpsl

ppc

ppc-440fp

sh4

spc

x64

x86

According to the Fortinet analysis, this botnet can obfuscate the strings in various ways, namely:

  • the C2 uses XOR encoding with a multi-byte key
  • the SSH brute-force mechanism uses the Mirai style encoding (single-byte XOR encoding with 0x22)
  • botnet commands are encrypted with a substitution cipher.

Although these obfuscation methods are simple, they are enough to keep the threat hidden from the eyes of security analysis and detection systems.

EnemyBot used CVEs

EnemyBot is continually updated by its operators, and new vulnerabilities are added frequently. Some of the vulnerabilities explored by this botnet are in this section, including flaws discovered during the first half of 2022.

  • CVE-2021-44228/2021-45046: Log4j is a Java-based logging framework. Several versions, including Apache Log4j2 1.14.1 and below, are exposed to this CVE, and an adversary can leverage this vulnerability to take complete control of a machine.

Figure 3: Part of the Log4j payload from Enemybotnet source code

Other vulnerabilities included in the latest release of EnemyBot can be seen below. Notice that these vulnerabilities don’t have CVE assigned and were discovered in 2022.

  • Adobe ColdFusion 11 RCE 
  • PHP Scriptcase 9.7 RCE:
  • Razar Sila Command injection:
  • WordPress Video Synchro PDF plugin LFI
  • Dbltek GoIP LFI
  • WordPress Cab Fare Calculator plugin LFI
  • Archeevo 5.0 LFI

Botnet commands and DoS

After compromising a new target, the bot connects with the C2 server and can perform specific tasks according to the available commands. The C2 server is hosted over the TOR network, and the botnet nodes access the server by using a hardcoded list of socks proxy IP addresses.

The available commands are:

Figure 4: List of available commands from the Enemybot

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

How to protect IoT devices against cyberattacks

Cyber threats have emerged both in volume and sophistication, and criminals repeatedly take advantage of a simple weakness to take control of the target system. In this sense, the IoT landscape is the perfect door from the adversaries' viewpoint because these devices have poor security and monitorization.

Although the IoT security horizon can be considered expansive from several perspectives, a few simple security practices can help to keep IoT devices safe. Some of the steps to consider are:

  • Change default passwords and adjust the device settings.
  • Use multi-factor authentication (MFA) or another auth mechanism when possible and applicable.
  • Keep the software and firmware updated (this step can avoid a lot of new flaws explored by botnets such as Enemybot and Mirai).
  • Ensure the device is available in a black hole network segment, i.e., isolated from critical assets.

And, most important, implement monitoring at the network layer and host-based when possible. Keeping an eye on the devices’ behavior is an effective measure for detecting and blocking potential intrusions in advance.

 

Sources:

Pedro Tavares
Pedro Tavares

Pedro Tavares is a professional in the field of information security working as an Ethical Hacker, Malware Analyst and a Security Evangelist. He is also Editor-in-Chief of the security computer blog seguranca-informatica.pt.

In recent years, he has invested in the field of information security, exploring and analyzing a wide range of topics, such as malware, reverse engineering, pentesting (Kali Linux), hacking/red teaming, mobile, cryptography, IoT, and security in computer networks. He is also a Freelance Writer.