Researchers Pick Apart Enemybot Hybrid Botnet Exposing Real Dangers
A team of researchers with security firm FortiGuard published a recent blog post, detailing a new botnet malware. The botnet is primarily focused on delivering distributed denial of service attacks and is named Enemybot.
Enemybot is a mix of Mirai and Gafgyt
According to FortiGuard, Enemybot is something of a mutant, borrowing code and modules from both the infamous Mirai botnet and the Bashlite or Gafgyt botnet, with more borrowed from the latter. The fact that both of those botnet families have their source code available online makes it easy for new threat actors to pick up the torch, mix and match and produce their own version, much like Enemybot.
The new Enemybot malware is associated with the Keksec threat actor - an entity known mainly for pulling off previous distributed denial of service (DDoS) attacks. The new malware has been spotted by FortiGuard in attacks targeting router hardware by Korean manufacturer Seowon Intech, as well as the more popular D-Link routers. Poorly configured Android devices are also susceptible to attack by the malware.
The real dangers of Enemybot have been exposed. To compromise targeted devices, Enemybot resorts to a wide range of known exploits and vulnerabilities, including the hottest one from the past year - Log4j.
Enemybot targets wide range of devices
The malware deploys a file in the /tmp directory, with the extension .pwned. The .pwned file contains a simple text message, taunting the victim and communicating who the authors are, in this case - Keksec.
The Enemybot botnet targets almost every chip architecture you can think of, from various versions of arm, to standard x64 and x86, to bsd and spc.
Once deployed, the botnet's payload downloads binaries from the C2 server, and the binaries are used to run DDoS commands. The malware also has a level of obfuscation, including having its C2 server using an .onion domain.
FortiGuard believes that the malware is still being actively worked on and improved, possibly by more than one threat actor group, due to changes detected in different versions of the .pwned file message.