May 28, 2023

EnemyBot malware botnet expanding its target list with recently-discovered vulnerabilities in F5 hardware and VMware software.

Initially discovered in March 2022, EnemyBot’s original target was the wide range of Linux variants used in IoT devices. But the recent analysis released by AT&T Alien Labs showed EnemyBot is launching attacks against a number of most recent vulnerabilities in content management systems, web servers, F5 hardware, and VMware software.

Advertisements

There’s quite a list of targets in the AT&T analysis, with the high-profile Log4j remote code execution (RCE) vulnerabilities from last year (CVE-2021-44228 and CVE-2021-45046), a VMware Workspace ONE vulnerability (CVE-2022-22954) discovered in April, and a REST vulnerability in F5’s BIG-IP application delivery server (CVE-2022-1388) published in May.

Nine of the vulnerabilities, including several in WordPress plugins and one in Adobe ColdFusion 11 discovered in February, have no CVE assigned.

If EnemyBot successfully infects a target, it will try to find other vulnerable hosts to infect.

Advertisements

Its C&C servers can also invoke a range of commands on EnemyBot, including various DDoS tools, shell commands, reverse shell creation, and a TLS attack. It will also try to infect Android devices connected through the USB port.

Indicators of Compromise

  • 7c0fe3841af72d55b55bc248167665da5a9036c972acb9a9ac0a7a21db016cc6
  • 2abf6060c8a61d7379adfb8218b56003765c1a1e701b346556ca5d53068892a5
  • 7785efeeb495ab10414e1f7e4850d248eddce6be91738d515e8b90d344ed820d
  • 8e711f38a80a396bd4dacef1dc9ff6c8e32b9b6d37075cea2bbef6973deb9e68
  • 31a9c513a5292912720a4bcc6bd4918fc7afcd4a0b60ef9822f5c7bd861c19b8
  • 139e1b14d3062881849eb2dcfe10b96ee3acdbd1387de82e73da7d3d921ed806
  • 4bd6e530db1c7ed7610398efa249f9c236d7863b40606d779519ac4ccb89767f
  • 7a2a5da50e87bb413375ecf12b0be71aea4e21120c0c2447d678ef73c88b3ba0
  • ab203b50226f252c6b3ce2dd57b16c3a22033cd62a42076d09c9b104f67a3bc9
  • 70674c30ed3cf8fc1f8a2b9ecc2e15022f55ab9634d70ea3ba5e2e96cc1e00a0
  • f4f9252eac23bbadcbd3cf1d1cada375cb839020ccb0a4e1c49c86a07ce40e1e
  • 6a7242683122a3d4507bb0f0b6e7abf8acef4b5ab8ecf11c4b0ebdbded83e7aa
  • b63e841ded736bca23097e91f1f04d44a3f3fdd98878e9ef2a015a09950775c8
  • 4869c3d443bae76b20758f297eb3110e316396e17d95511483b99df5e7689fa0
  • cdf2c0c68b5f8f20af448142fd89f5980c9570033fe2e9793a15fdfdadac1281
Tags:

Leave a Reply

You may have missed

Zyxel Patches Critical Buffer Overflow Vulnerability

Zyxel Patches Critical Buffer Overflow Vulnerability

May 27, 2023
Apria Data Breach affects 2 million customers

Apria Data Breach affects 2 million customers

May 27, 2023
CosmicEnergy Malware Shutting Electric grid

CosmicEnergy Malware Shutting Electric grid

May 27, 2023
Operation Magalenha from Brazil

Operation Magalenha from Brazil

May 27, 2023
Buhti Ransomware Dissection

Buhti Ransomware Dissection

May 26, 2023
Volt Typhoon – Chinese Threat Actor Targetting US Infra

Volt Typhoon – Chinese Threat Actor Targetting US Infra

May 25, 2023
%d bloggers like this: