EnemyBot is a threatening botnet that cybercriminals are using primarily for launching DDoS (Distributed Denial-of-Service) attacks. The botnet was first brought to light in a security report by the researchers at Securinox. However, just a month later, Fortinet observed new EnemyBot samples with expanded intrusion capabilities that encompassed flaws for over a dozen different architectures.
The developers of the malware have not slowed down since then, and a report from AT&T Alien Labs showcases that EnemyBot variants can now exploit 24 additional vulnerabilities. The newly incorporated security flaws can affect web servers, IoT (Internet of Things) devices, Android devices, and content management systems.
Among the added vulnerabilities are:
- CVE-2022-22954 - a remote code execution flaw found in VMware Identity Manager and VMWare Workspace ONE Access.
- CVE-2022-22947 - a Spring remote code execution flaw that was addressed as a zero-day back in March.
- CVE-2022-1388 - a remote code execution in F5 BIG-IP that can allow device takeover.
Most of EnemyBot’s new exploits are classified as critical while some didn't even have a CVE number assigned to them. This is on top of the previously included capabilities, such as taking advantage of the infamous Log4Shell exploit.
EnemyBot is now also capable of creating a reverse shell on the breached systems. If successful, the threat actors could now be able to bypass certain firewall restrictions and establish access to the targeted machines. EnemyBot also possesses dedicated modules that can scan for new suitable devices and attempt to infect them.