A threat group that pursues crypto mining and distributed denial-of-service (DDoS) attacks has been linked to a new botnet called Enemybot, which has been discovered enslaving routers and Internet of Things (IoT) devices since last month.
“This botnet is mainly derived from Gafgyt’s source code but has been observed to borrow several modules from Mirai’s original source code,” Fortinet FortiGuard Labs said in a report this week.
The botnet has been attributed to an actor named Keksec (aka Kek Security, Necro, and FreakOut), which has been linked to multiple botnets such as Simps, Ryuk (not to be confused with the ransomware of the same name), and Samael, and has a history of targeting cloud infrastructure to carry out crypto mining and DDoS operations.
Primarily targeting routers from Seowon Intech, D-Link, and iRZ to propagate its infections and grow in volume, an analysis of the malware specimen has highlighted Enemybot’s obfuscation attempts to hinder analysis and connect to a remote server that’s hosted in the Tor anonymity network to fetch attack commands.
Enemybot, like the other botnet malware, is the result of combining and modifying the source code of Mirai and Gafgyt, with the latest version using the former’s scanner and bot killer modules that are used to scan and terminate competitor processes running on the same devices.
Some of the n-day vulnerabilities used by the botnet to infect more devices are as follows –
CVE-2020-17456 (CVSS score: 9.8) – A remote code execution flaw in Seowon Intech SLC-130 And SLR-120S devices.
CVE-2018-10823 (CVSS score: 8.8) – An arbitrary code execution vulnerability in D-Link routers
CVE-2022-27226 (CVSS score: 8.8) – A cross-site request forgery issue affecting iRZ Mobile Routers leading to remote code execution
You can also read this: Massive DDoS Attack Knocked Israeli Government Websites Offline