Saturday, August 20, 2022
HomeCyber SecurityQuickly evolving IoT malware EnemyBot now concentrating on Content material Administration System...

Quickly evolving IoT malware EnemyBot now concentrating on Content material Administration System servers and Android units


Government abstract

AT&T Alien Labs™ has been monitoring a brand new IoT botnet dubbed “EnemyBot”, which is believed to be distributed by menace actor Keksec. Throughout our investigations, Alien Labs has found that EnemyBot is increasing its capabilities, exploiting not too long ago recognized vulnerabilities (2022), and now concentrating on IoT units, net servers, Android units and content material administration system (CMS) servers. As well as, the malware base supply code can now be discovered on-line on Github, making it broadly accessible.

Key takeaways:

  • EnemyBot’s base supply code might be discovered on Github, making it obtainable to anybody who desires to leverage the malware of their assaults.
  • The malware is quickly adopting one-day vulnerabilities as a part of its exploitation capabilities.
  • Companies reminiscent of VMware Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase and extra are being focused in addition to IoT and Android units.
  • The menace group behind EnemyBot, Keksec, is well-resourced and has the power to replace and add new capabilities to its arsenal of malware each day (see under for extra element on Keksec)

Background

First found by Securonix in March 2022 and later detailed in an in-depth evaluation by Fortinet, EnemyBot is a brand new malware distributed by the menace actor “Keksec” concentrating on Linux machines and IoT units.

In accordance with the malware Github’s repository, EnemyBot derives its supply code from a number of botnets to a strong and extra adjustable malware. The unique botnet code that EnemyBot is utilizing contains: Mirai, Qbot, and Zbot. As well as, the malware contains customized improvement (see determine 1).

flame botnet

Determine 1. EnemyBot web page on Github.

The Keksec menace group is reported to have fashioned again in 2016 by numerous skilled botnet actors. In November 2021, researchers from Qihoo 360 described intimately the menace actor’s exercise in a presentation, attributing to the Keksec the event of botnets for various platforms together with Home windows and Linux:

  • Linux based mostly botnets: Tsunami and Gafgyt
  • Home windows based mostly botnets: DarkIRC, DarkHTTP
  • Twin techniques: Necro (developed in Python)

Supply code evaluation

The developer of the Github web page on EnemyBot self describes as a “full time malware dev,” that can be obtainable for contract work. The person states their office as “Kek safety,” implying a possible relationship with the broader Keksec group (see determine 2).

contract work availability

Determine 2. EnemyBot developer description.

The malware repository on Github accommodates 4 foremost sections:

cc7.py

This module is a Python script file that downloads all dependencies and compiles the malware into totally different OS architectures together with x86, ARM, macOS, OpenBSD, PowerPC, MIPS, and extra (see determine 3)

macOS malware

Determine 3. Compiling malware supply code to macOS executable.

As soon as compilation is full, the script then creates a batch file ‘replace.sh’ which is utilized by the bot as a downloader that’s then delivered to any recognized weak targets to unfold the malware.

spreading EnemyBot

Determine 4. Generated `replace.sh` file to unfold EnemyBot on totally different architectures.

enemy.c

That is the primary bot supply code. Although it’s lacking the primary exploitation operate, it contains all different performance of the malware and the assaults the bot helps by mixing the varied botnet supply codes as talked about above (Mirai, Qbot, and Zbot) — primarily Mirai and Qbot (see determine 5).

 EnemyBot source code

Determine 5. EnemyBot supply code.

cover.c

This module is compiled and manually executed to encode / decode the malware’s strings by the attacker to cover strings in binary. For that, the malware is utilizing a easy swap desk, wherein every char is changed with a corresponding char within the desk (see in determine 6).

EnemyBot decode

Determine 6. String decode.

servertor.c

Determine 7 reveals the command-and-control part (C&C) botnet controller. C&C shall be executed on a devoted machine that’s managed by the attacker. It could possibly management and ship instructions to contaminated machines. (determine 7)

EnemyBot C&C

Determine 7. C&C part.

New variant evaluation

Most of EnemyBot performance pertains to the malware’s spreading capabilities, in addition to its skill to scan public-facing property and search for weak units. Nevertheless, the malware additionally has DDoS capabilities and might obtain instructions to obtain and execute new code (modules) from its operators that give the malware extra performance.

In new variants of EnemyBot, the malware added a webscan operate containing a complete of 24 exploits to assault vulnerabilities of various units and net servers (see determine 8).

figure 8

Determine 8. EnemyBot requires a brand new operate “webscan_xywz”.

To carry out these features, the malware randomly scans IP addresses and when it will get a response through SYN/ACK, EnemyBot then scans for vulnerabilities on the distant server by executing a number of exploits.

The primary exploit is for the Log4j vulnerability found final 12 months as CVE-2021-44228 and CVE-2021-45046:

EnemyBot Log4j

Determine 9. Exploiting the Log4J vulnerability.

The malware can also undertake new vulnerabilities inside days of these vulnerabilities being found. Some examples are Razer Sila (April 2022) which was revealed and not using a CVE (see determine 10) and a distant code execution (RCE) vulnerability impacting VMWare Workspace ONE with CVE-2022-22954 the identical month (see determine 11).

Razar sila vuln

Determine 10. Exploiting vulnerability in Razar Sila.

VMWare vuln

Determine 11. Exploiting vulnerability in VMWare Workspace ONE.

EnemyBot has additionally begun concentrating on content material administration techniques (e.g. WordPress) by looking for vulnerabilities in varied plugins, reminiscent of “Video Synchro PDF” (see determine 12).

EnemyBot WordPress

Determine 12. EnemyBot concentrating on WordPress servers.

Within the instance proven in determine 12, discover that the malware elevates a neighborhood file inclusion (LFI) vulnerability right into a RCE by injecting malicious code into the ‘/proc/self/environ’. This technique will not be new and was described in 2009. The malware makes use of LFI to name ‘environ’ and passes the shell command within the consumer agent http header.

One other instance of how the malware makes use of this technique is proven in determine 13. On this instance the malware is exploiting a vulnerability in DBltek GoIP.

DBItek

Determine 13. Executing shell command by LFI vulnerability in DBltek.

In case an Android system is related by USB, or Android emulator working on the machine, EnemyBot will attempt to infect it by executing shell command. (determine 14)

Android case

Determine 14. EnemyBot “adb_infect” operate to assault Android units.

After an infection, EnemyBot will look ahead to additional instructions from its C&C. Nevertheless, in parallel it’ll additionally additional propogate by scanning for extra weak units. Alien Labs has listed under the instructions the bot can obtain from its C&C (correct as of the publishing of this text). 

Command

Motion

SH

Execute shell command

PING

Ping to server, look ahead to command

LDSERVER

Change loader server for payload.

TCPON

Activate sniffer.

RSHELL

Create a reverse shell on an contaminated machine.

TCPOFF

Flip off sniffer.

UDP

Begin UDP flood assault.

TCP

Begin TCP flood assault.

HTTP

Begin HTTP flood assault.

HOLD

Begin TCP connection flooder.

TLS

Begin TLS assault, begin handshake with out closing the socket.

STD

Begin non spoofed UDP flooder.

DNS

Begin DNS flooder.

SCANNER ON | OFF

Begin/Cease scanner – scan and infect weak units.

OVH

Begin DDos assault on OVH.

BLACKNURSE

Begin ICMP flooder.

STOP

Cease ongoing assaults. kill baby processes

ARK

Begin focused assault on ARK: Survivor Developed online game server.

ADNS

Obtain targets listing from C&C and begin DNS assault.

ASSDP

Begin SSDP flood assault.

We’ve additionally listed the present vulnerabilities EnemyBot makes use of. As talked about, a few of them haven’t been assigned a CVE but. (As of the publishing of this text.)

CVE Quantity

Affected units

CVE-2021-44228, CVE-2021-45046

Log4J RCE

CVE-2022-1388

F5 BIG IP RCE

No CVE (vulnerability revealed on 2022-02)

Adobe ColdFusion 11 RCE

CVE-2020-7961

Liferay Portal – Java Unmarshalling through JSONWS RCE

No CVE (vulnerability revealed on 2022-04)

PHP Scriptcase 9.7 RCE

CVE-2021-4039

Zyxel NWA-1100-NH Command injection

No CVE (vulnerability revealed on 2022-04)

Razar Sila – Command injection

CVE-2022-22947

Spring Cloud Gateway – Code injection vulnerability

CVE-2022-22954

VMWare Workspace One RCE

CVE-2021-36356, CVE-2021-35064

Kramer VIAware RCE

No CVE (vulnerability revealed on 2022-03)

WordPress Video Synchro PDF plugin LFI

No CVE (vulnerability revealed on 2022-02)

Dbltek GoIP LFI

No CVE(vulnerability revealed on 2022-03)

WordPress Cab Fare Calculator plugin LFI

No CVE(vulnerability revealed on 2022-03)

Archeevo 5.0 LFI

CVE-2018-16763

Gasoline CMS 1.4.1 RCE

CVE-2020-5902

F5 BigIP RCE

No CVE (vulnerability revealed on 2019)

ThinkPHP 5.X RCE

No CVE (vulnerability revealed on 2017)

Netgear DGN1000 1.1.00.48 ‘Setup.cgi’ RCE

CVE-2022-25075

TOTOLink A3000RU command injection vulnerability

CVE-2015-2051

D-Hyperlink units – HNAP SOAPAction – Header command injection vulnerability

CVE-2014-9118

ZHOME < S3.0.501 RCE

CVE-2017-18368

Zyxel P660HN – unauthenticated command injection

CVE-2020-17456

Seowon SLR 120 router RCE

CVE-2018-10823

D-Hyperlink DWR command injection in varied fashions

Advisable actions

  1. Preserve minimal publicity to the Web on Linux servers and IoT units and use a correctly configured firewall.
  2. Allow computerized updates to make sure your software program has the most recent safety updates.
  3. Monitor community site visitors, outbound port scans, and unreasonable bandwidth utilization.

Conclusion

Keksec’s EnemyBot seems to be simply beginning to unfold, nevertheless because of the authors’ fast updates, this botnet has the potential to develop into a serious menace for IoT units and net servers. The malware can shortly undertake one-day vulnerabilities (inside days of a printed proof of idea). This means that the Keksec group is properly resourced and that the group has developed the malware to make the most of vulnerabilities earlier than they’re patched, thus rising the pace and scale at which it could actually unfold.

Detection strategies

The next related detection strategies are in use by Alien Labs. They can be utilized by readers to tune or deploy detections in their very own environments or for aiding further analysis.

SURICATA IDS SIGNATURES

Log4j sids: 2018202, 2018203, 2034647, 2034648, 2034649, 2034650, 2034651, 2034652, 2034653, 2034654, 2034655, 2034656, 2034657, 2034658, 2034659, 2034660, 2034661, 2034662, 2034663, 2034664, 2034665, 2034666, 2034667, 2034668, 2034671, 2034672, 2034673, 2034674, 2034676, 2034699, 2034700, 2034701, 2034702, 2034703, 2034706, 2034707, 2034708, 2034709, 2034710, 2034711, 2034712, 2034713, 2034714, 2034715, 2034716, 2034717, 2034723, 2034743, 2034744, 2034747, 2034748, 2034749, 2034750, 2034751, 2034755, 2034757, 2034758, 2034759, 2034760, 2034761, 2034762, 2034763, 2034764, 2034765, 2034766, 2034767, 2034768, 2034781, 2034782, 2034783, 2034784, 2034785, 2034786, 2034787, 2034788, 2034789, 2034790, 2034791, 2034792, 2034793, 2034794, 2034795, 2034796, 2034797, 2034798, 2034799, 2034800, 2034801, 2034802, 2034803, 2034804, 2034805, 2034806, 2034807, 2034808, 2034809, 2034810, 2034811, 2034819, 2034820, 2034831, 2034834, 2034835, 2034836, 2034839, 2034886, 2034887, 2034888, 2034889, 2034890, 2838340, 2847596, 4002714, 4002715

4001913: AV EXPLOIT LifeRay RCE (CVE-2020-7961)

4001943: AV EXPLOIT Liferay Portal Java Unmarshalling RCE (CVE-2020-7961)

4002589: AV EXPLOIT LifeRay Distant Code Execution – update-column (CVE-2020-7961)

2031318: ET CURRENT_EVENTS 401TRG Liferay RCE (CVE-2020-7961)

2031592: ET WEB_SPECIFIC_APPS Liferay Unauthenticated RCE through JSONWS Inbound (CVE-2020-7961)

2035955: ET EXPLOIT Razer Sila Router – Command Injection Try Inbound (No CVE)

2035956: ET EXPLOIT Razer Sila Router – LFI Try Inbound (No CVE)

2035380: ET EXPLOIT VMware Spring Cloud Gateway Code Injection (CVE-2022-2294) (set)

2035381: ET EXPLOIT VMware Spring Cloud Gateway Code Injection (CVE-2022-2294)

2035876: ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954)

2035875: ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954)

2035874: ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954)

2036416: ET EXPLOIT Attainable VMware Workspace ONE Entry RCE through Server-Aspect Template Injection Inbound (CVE-2022-22954)

4002364: AV EXPLOIT Gasoline CMS RCE (CVE-2018-16763)

2030469: ET EXPLOIT F5 TMUI RCE vulnerability CVE-2020-5902 Try M1

2030483: ET EXPLOIT F5 TMUI RCE vulnerability CVE-2020-5902 Try M2

2836503: ETPRO EXPLOIT Tried THINKPHP < 5.2.x RCE Inbound

2836504: ETPRO EXPLOIT Tried THINKPHP < 5.2.x RCE Outbound

2836633: ETPRO EXPLOIT BlackSquid Failed ThinkPHP Payload Inbound

2026731: ET WEB_SERVER ThinkPHP RCE Exploitation Try

2024916: ET EXPLOIT Netgear DGN Distant Command Execution

2029215: ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound

2034576: ET EXPLOIT Netgear DGN Distant Code Execution

2035746: ET EXPLOIT Totolink – Command Injection Try Inbound (CVE-2022-25075)

4001488: AV TROJAN Mirai Outbound Exploit Scan, D-Hyperlink HNAP RCE (CVE-2015-2051)

2034491: ET EXPLOIT D-Hyperlink HNAP SOAPAction Command Injection (CVE-2015-2051)

4000095: AV EXPLOIT Unauthenticated Command Injection (ZyXEL P660HN-T v1)

4002327: AV TROJAN Mirai defective Zyxel exploit try

2027092: ET EXPLOIT Attainable ZyXEL P660HN-T v1 RCE

4002226: AV EXPLOIT Seowon Router RCE (CVE-2020-17456)

2035950: ET EXPLOIT SEOWON INTECH SLC-130/SLR-120S RCE Inbound M1 (CVE-2020-17456)

2035951: ET EXPLOIT SEOWON INTECH SLC-130/SLR-120S RCE Inbound M2 (CVE-2020-17456)

2035953: ET EXPLOIT D-Hyperlink DWR Command Injection Inbound (CVE-2018-10823)

 

AGENT SIGNATURES

Java Course of Spawning Scripting Course of

 

Java Course of Spawning WMIC

Java Course of Spawning Scripting Course of through Commandline (For Jenkins servers)

Suspicious course of executed by Jenkins Groovy scripts (For Jenkins servers)

Suspicious command executed by a Java listening course of (For Linux servers)

Related indicators (IOCs)

The next technical indicators are related to the reported intelligence. A listing of indicators can be obtainable within the OTX Pulse. Please notice, the heartbeat might embody different actions associated however out of the scope of the report.

TYPE

INDICATOR

DESCRIPTION

IP ADDRESS

80.94.92[.]38

Malware C&C

SHA256

7c0fe3841af72d55b55bc248167665da5a9036c972acb9a9ac0a7a21db016cc6

Malware hash

SHA256

2abf6060c8a61d7379adfb8218b56003765c1a1e701b346556ca5d53068892a5

Malware hash

SHA256

7785efeeb495ab10414e1f7e4850d248eddce6be91738d515e8b90d344ed820d

Malware hash

SHA256

8e711f38a80a396bd4dacef1dc9ff6c8e32b9b6d37075cea2bbef6973deb9e68

Malware hash

SHA256

31a9c513a5292912720a4bcc6bd4918fc7afcd4a0b60ef9822f5c7bd861c19b8

Malware hash

SHA256

139e1b14d3062881849eb2dcfe10b96ee3acdbd1387de82e73da7d3d921ed806

Malware hash

SHA256

4bd6e530db1c7ed7610398efa249f9c236d7863b40606d779519ac4ccb89767f

Malware hash

SHA256

7a2a5da50e87bb413375ecf12b0be71aea4e21120c0c2447d678ef73c88b3ba0

Malware hash

SHA256

ab203b50226f252c6b3ce2dd57b16c3a22033cd62a42076d09c9b104f67a3bc9

Malware hash

SHA256

70674c30ed3cf8fc1f8a2b9ecc2e15022f55ab9634d70ea3ba5e2e96cc1e00a0

Malware hash

SHA256

f4f9252eac23bbadcbd3cf1d1cada375cb839020ccb0a4e1c49c86a07ce40e1e

Malware hash

SHA256

6a7242683122a3d4507bb0f0b6e7abf8acef4b5ab8ecf11c4b0ebdbded83e7aa

Malware hash

SHA256

b63e841ded736bca23097e91f1f04d44a3f3fdd98878e9ef2a015a09950775c8

Malware hash

SHA256

4869c3d443bae76b20758f297eb3110e316396e17d95511483b99df5e7689fa0

Malware hash

SHA256

cdf2c0c68b5f8f20af448142fd89f5980c9570033fe2e9793a15fdfdadac1281

Malware hash

 

Mapped to MITRE ATT&CK

The findings of this report are mapped to the next MITRE ATT&CK Matrix methods:

  • TA0001: Preliminary Entry:
    • T1190: Exploit Public-Going through Software
  • TA0008: Lateral Motion:
    • T1210: Exploitation of Distant Companies
    • T1021: Distant Companies
  • TA0011: Command and Management
    • T1132: Knowledge Encoding
    • T1001: Knowledge Obfuscation
    • T1030: Proxy:
RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments