EnemyBot Malware Detection: IoT Botnet Exploits More Bugs

EnemyBot Malware

Keksec, aka Nero and Freakout, the threat actor behind the advanced EnemyBot botnet, is expanding its reach by leveraging more exploits, compromising multiple organizations regardless of their industry vertical. The EnemyBot malware authors took all the best and left behind the obsolete of code used in other botnets such as Gafgyt, Qbot, or Mirai.

The botnet is currently used to weaponize security holes in products of such vendors as VMware, D-Link, Adobe, Zyxel, and WordPress, as well as leveraging vulnerabilities in web and CMS servers as well as Android and IoT devices. Adversaries put the bugs to use to be able to move laterally to get deeper into a compromised network and also launch distributed denial-of-service (DDoS) attacks. New one-day vulnerabilities quickly fall under the umbrella of this malware’s attack capabilities.

Detect EnemyBot Malware

Detect malicious actions associated with the EnemyBot malware with a Sigma rule newly released to the Threat Detection Marketplace of the SOC Prime Platform. The detection piece is provided by our top-tier Threat Bounty developer Osman Demir:

Suspicious Ingress Tool Transfer of EnemyBot (via file_event)

The rule is aligned with the latest MITRE ATT&CK® framework v.10, addressing the Command and Control tactic with Ingress Tool Transfer (T1105) as the main technique.

If you have not registered yet to the Platform but still would like to give our threat detection content a try, see what’s available with the cyber threats’ Search Engine. Browse through a rich collection of Sigma rules with relevant threat context and CTI and MITRE ATT&CK references now, registration-free. Hit the Drill Down to Search Engine button to drive better detection hassle-free.

Verified users have access to 185K+ detection algorithms and threat hunting queries aligned with 25+ industry-leading SIEM, EDR, and XDR solutions. Press the View in SOC Prime Platform button to access the vast library of Sigma and YARA rules to comb through your security data with more efficiency and agility.

View in SOC Prime Platform Drill Down to Search Engine

EnemyBot Malware Analysis

EnemyBot attacks got on security researchers’ radar in early Spring 2022. Analysts from Securonix were the first to document the new Linux-based botnet in March 2022, followed by Fortinet and AT&T’s reports on the rapid botnet’s evolution. The botnet was developed by the Keksec group, known to operate in the threat landscape since 2016. Today, EnebyBot operators are leveraging high-profile vulnerabilities such as notorious Log4j or a recent critical flaw in F5 BIG-IP.

The botnet has four modules. The first section contains the python script, which is used to retrieve all dependencies and create the malware for various OS architectures. The second module is the main botnet source code. The third section is an obfuscation segment, and the last one includes the command-and-control component. Once in the system, the malware connects to the C&C server for instructions, which might include spreading to new devices, operating DDoS attacks, and running shell commands.

It should also be mentioned that the base source code for EnemyBot is published on Github, so threat actors outside the Keksec group can also use the botnet in their attacks.

Ready to explore the comprehensive toolset for SOC professionals and see the Detection as Code in action? Register to the SOC Prime Platform to access the benefits of the only Threat Detection Marketplace where researchers monetize their content.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts