EnemyBot Linux Botnet Now Exploits Web Server, Android, and CMS Vulnerabilities
A fledgling Linux-based botnet named robot enemy has expanded its capabilities to include recently disclosed security vulnerabilities in its arsenal to target web servers, Android devices, and content management systems (CMS).
“Malware rapidly adopts day-old vulnerabilities as part of its exploit capabilities,” AT&T Alien Labs said in a technical paper published last week. “Services such as VMware Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase and many more are targeted, along with IoT and Android devices.”
First described by Securonix in March and later by Fortinet, Enemybot has been linked to a threat actor tracked by the name Keksec (aka Kek Security, Necro, and FreakOut), with early attacks targeting routers from Seowon Intech, D-Link and iRZ.
Enemybot, capable of carrying out DDoS attacks, originated from several other botnets like Mirai, Qbot, Zbot, Gafgyt, and LolFMe. An analysis of the latest variant reveals that it is made up of four different components –
- A Python module to download dependencies and compile malware for different OS architectures
- The main section of the botnet
- An obfuscation segment designed to encode and decode malware strings, and
- Command and control functionality to receive attack commands and scavenge additional payloads
“If an Android device is connected via USB or an Android emulator running on the machine, EnemyBot will try to infect it by running [a] shell command,” the researchers said, pointing to a new “adb_infect” function. ADB refers to Android Debug Bridge, a command line utility used to communicate with an Android device.
A new scanner function is also integrated, designed to search for potential vulnerabilities in random IP addresses associated with public assets, while also taking into account new bugs a few days after their public disclosure.
In addition to the Log4Shell vulnerabilities that were disclosed in December 2021, this includes recently patched flaws in Razer Sila routers (no CVE), VMware Workspace ONE Access (CVE-2022-22954) and F5 BIG-IP (CVE-2022- 1388) as well as weaknesses in WordPress plugins like Video Synchro PDF.
Other militarized security gaps are below –
- CVE-2022-22947 (CVSS score: 10.0) – A code injection vulnerability in Spring Cloud Gateway
- CVE-2021-4039 (CVSS score: 9.8) – A command injection vulnerability in the Zyxel NWA-1100-NH firmware web interface
- CVE-2022-25075 (CVSS score: 9.8) – A command injection vulnerability in the TOTOLink A3000RU Wireless Router
- CVE-2021-36356 (CVSS score: 9.8) – A remote code execution vulnerability in KRAMER VIAware
- CVE-2021-35064 (CVSS score: 9.8) – An elevation of privilege and command execution vulnerability in Kramer VIAWare
- CVE-2020-7961 (CVSS score: 9.8) – A remote code execution vulnerability in the Liferay Portal
Additionally, the botnet’s source code has been shared on GitHub, making it widely accessible to other threat actors. “I assume no responsibility for damage caused by this program,” reads the project’s README file. “This is released under the Apache License and is also considered art.”
“Keksec’s Enemybot appears to be just beginning to spread, but due to rapid updates from perpetrators, this botnet has the potential to become a major threat to IoT devices and web servers,” the researchers said.
“This indicates that the Keksec group has sufficient resources and has developed the malware to take advantage of vulnerabilities before they are patched, thereby increasing the speed and scale at which it can spread.”