Enemy Bot involved in DDoS Exortion

Fortinet reseaechers have discovered a new DDoS botnet, dubbed Enemybot, that targetting routers and web servers by exploiting known vulnerabilities. This botnet attributed to cyber threat group Keksec involving DDoS based extortion

Upon installing the threat, the bot drops a file in /tmp/.pwned, containing a message that attributes itself to Keksec. The message was stored as cleartext in earlier samples, and encoded with an XOR operation using a multiple-byte key in new samples

The Enemybot botnet borrows the code from Gafgyt bot and re-uses certain codes from the Mirai botnet. 

It uses several methods of obfuscation for its strings to hinder analysis and hide itself from other botnets. Furthermore, it connects to a command-and-control (C2) server that is hidden in the Tor network, making its takedown more complicated. Enemybot has been seen targeting routers from Seowon Intech, D-Link, and exploits a recently reported iRZ router vulnerability to infect more devices.

Fortinet Statement

The botnet implements multiple obfuscation techniques to avoid detection and hides C2 on the Tor network. It uses a list of hardcoded username/password combinations to login into devices in the attempt to access systems using weak or default credentials. The bot also tries to run shell commands to infect misconfigured Android devices that expose Android Debug Bridge port (5555).

The malware exploits tens of known vulnerabilities including:

• CVE-2020-17456 vulnerability affecting SEOWON INTECH SLC-130 and SLR-120S routers;
• CVE-2018-10823 flaw an older D-Link routers (DWR-116 through 1.06, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, DWR-111 through 1.01).
• CVE-2022-27226 affecting iRZ mobile routers;
• CVE-2022-25075 to 25084: Targets TOTOLINK routers, previously exploited by the  Beastmode  botnet
• CVE-2021-44228/2021-45046: Better known as Log4j.
• CVE-2021-41773/CVE-2021-42013: Targets Apache HTTP servers
• CVE-2018-20062: Targets ThinkPHP CMS
• CVE-2017-18368: Targets Zyxel P660HN routers
• CVE-2016-6277: Targets NETGEAR routers
• CVE-2015-2051: Targets D-Link routers
• CVE-2014-9118: Targets Zhone routers

The bot runs a shell command to download a shell script from a URL that is dynamically updated by the C2 using the command  LDSERVER. Then the script downloads the actual Enemybot binary which is compiled for the target device’s architecture.

Once the bot has been installed on a device, it connects to its C2 server and waits for further commands

Indicators of Compromise

• 5260b9a859d936c5b8e0dd81c0238de136d1159e41f0b148f86e2555cf4a4e38
• b025a17de0ba05e3821444da8f8fc3d529707d6b311102db90d9f04c11577573
• bf2f2eb08489552d46b8f50fb07073433f4af94e1215865c48d45f795f96342f
• adb51a8d112590a6fdd02ac8d812b837bbe0fcdd762dba6bbba0bd0b538f9aef
• 373b43345a7e4a6b1d5a6d568a8f6a38906760ea761eacd51a11c164393e4bad
• b56655c3c9eed7cd4bce98eeebdcead8daa75a33498ad4f287c753ecc9554aca
• cebd50b3a72a314c935b426c0e6b30ec08e0e0cb53e474efffb66f0907309243
• 73e929575afc04758a23c027ebe4f60ab5c4ba0ab7fa8756b27ed71548302009
• 33d282c6bccf608d4fbf3a211879759019741c1b822c6cea56c6f479be598367
• 80f264d7b45a52bd000165f3f3b0fdc0e405f3f128a60a9ec6f085bfba114971
• 9acf649b74f4aae43a2db90b8d39a7cd39bf6b82c995da7a1ffa6f23c3549b14
• a7213ae906a008ad06020436db120a14568c41eae4335d6c76f2bbc33ee9fbcc
• 2ea62957b9dd8e95052d64a48626c0fa137f0fa9ca4fa53f7f1d8fe35aa38dc0
• 2ec8016e5fb8375d0cc66bc81f21c2d3f22b785eb4f8e2a02b0b5254159696f5
• 06f9083e8109685aecb2c35441932d757184f7749096c9e23aa7d8b7a6c080f8
• fec09b614d67e8933e2c09671e042ce74b40048b5f0feed49ba81a2c18d4f473
• c01156693d1d75481dc96265b41e661301102f3da4edae89338ee9c64dc57d32
• 820703b9a28d4b46692b7bf61431dc81186a970c243182740d623817910051d1
• 9790f79da34a70e7fb2e07896a5ada662978473457ca5e2701bd1d1df0b9f10f
• a799be50ad82e6338c9e0b33d38612e6ad171872407d5d7de36022adf9b8bf63
• 4b2b4876ecc7d466eceb30ecbd79001af142b629200bbe61ebd45f4e63cd62ef
• d14df997bdf1e3fd3d18edf771376a666dd791dcac550c7dd8de0323823e1037
• 32faf178c5929510234f2d02aea39ca67ab893e18f60c1593f0c043153625e9d
• cc5a743b458bb098998693a73b6a13b9946d375c7c01ac6d37937871d6539102
• 980fb4731a70a472699fcbee1a16e76c78c1b36ab6430b94dbe2169f8ac21340
• 93706966361922b493d816fa6ee1347c90de49b6d59fc01c033abdd6549ac8b9
• f805f22f668bd0414497ddc061e021c5b80b80c9702053d72fc809f19307073b
• 2e6305521d4ac770fc661658da6736d658eef384a9aa68bc49613d2be2d23a0d
• e8c9452581830668941b3dca59896d339eb65cd8f21875b0e36261e5c093f7fe

Download URLs

• http://198[.]12[.]116[.]254/folder/dnsamp.txt
• http://198[.]12[.]116[.]254/folder/enemybotarm
• http://198[.]12[.]116[.]254/folder/enemybotarm5
• http://198[.]12[.]116[.]254/folder/enemybotarm64
• http://198[.]12[.]116[.]254/folder/enemybotarm7
• http://198[.]12[.]116[.]254/folder/enemybotbsd
• http://198[.]12[.]116[.]254/folder/enemybotdarwin
• http://198[.]12[.]116[.]254/folder/enemyboti586
• http://198[.]12[.]116[.]254/folder/enemyboti686
• http://198[.]12[.]116[.]254/folder/enemybotm68k
• http://198[.]12[.]116[.]254/folder/enemybotmips
• http://198[.]12[.]116[.]254/folder/enemybotmpsl
• http://198[.]12[.]116[.]254/folder/enemybotppc
• http://198[.]12[.]116[.]254/folder/enemybotppc-440fp
• http://198[.]12[.]116[.]254/folder/enemybotsh4
• http://198[.]12[.]116[.]254/folder/enemybotspc
• http://198[.]12[.]116[.]254/folder/enemybotx64
• http://198[.]12[.]116[.]254/folder/enemybotx86
• http://198[.]12[.]116[.]254/folder/enemybotx64
• http://198[.]12[.]116[.]254/update.sh