Monday, November 4, 2024
HomeCyber Security NewsA New Linux-based Botnet Targeting Vulnerabilities in Web Servers & Android Servers

A New Linux-based Botnet Targeting Vulnerabilities in Web Servers & Android Servers

Published on

Malware protection

Currently, a new botnet extends its reach with the help of code originating from various pieces of malware. The company is doing so by rapidly adding exploits for several vulnerabilities recently identified in the following things:-

  • Web servers
  • Content management systems
  • IoT
  • Android devices

As of March, when the latest analysis of the botnet emerged, a research team at Securonix discovered this botnet for the first time. 

After more recent research by Securonix in March, Fortinet discovered newer samples of it in April. Currently, there are more than a dozen chip architectures with vulnerabilities, and more are in the works.

- Advertisement - SIEM as a Service

This botnet contains several modules for scanning for new targets and infecting them, which allow the malware to make distributed denial-of-service attacks.

In the early stages of the attack, the first targets included the routers from Seowon Intech, D-Link, and iRZ. Moreover, it has been identified that EnemyBot is linked to a malicious actor known as Keksec that is also known as:-

  • Kek Security
  • Necro
  • FreakOut

EnemyBot’s Components

Several other botnets, including Mirai, Qbot, Zbot, Gafgyt, and LolFMe, are the origins of EnemyBot, which is capable of launching DDoS attacks. In terms of composition, it has four components, as evidenced by an analysis of the latest variant.

Here we have mentioned below all the four components of EnemyBot:-

  • A Python module that downloads dependencies and compiles the malware for different platforms based on the architecture that runs the OS.
  • The core botnet section.
  • To encrypt and decode the malware’s strings, there is an obfuscation segment that is designed to do that.
  • Using the command-and-control features, one can receive attack commands and obtain additional payloads.

Addition of new variants

EnemyBot includes exploits for 24 vulnerabilities in its latest version. In more than half of these cases, the vulnerability is critical, but there are a few that don’t even have a CVE number, which makes it more challenging to patch the vulnerability.

AT&T Alien Labs found exploits for a new variant of the Trojan that was analyzed. The exploits involved the following security vulnerabilities:-

  • CVE-2022-22954: A remote code execution flaw impacting VMware Workspace ONE Access and VMware Identity Manager.
  • CVE-2022-22947: A remote code execution flaw in Spring.
  • CVE-2022-1388: A remote code execution flaw impacting F5 BIG-IP, threatening vulnerable endpoints with device takeover.

RSHELL command

A newer version of the malware appears to support a wider variety of commands, but RSHELL stands out as one of its features.

An infected system can be made vulnerable by using this command on an infected system. Threat actors gain access to compromised systems by bypassing firewalls with the help of this.

It was not a coincidence that the threat actors released the source code of EnemyBot, making it available to anyone wanting to use it against them.

Recommendations

Here below we have mentioned all the recommendations:-

  • Make sure that the systems are fully patched and that they are not susceptible to RCE.
  • In order to reduce the likelihood of external exploitation, firmware patches must be applied to all IoT devices.
  • By using layer-7 network monitoring and detection, you can detect common exploits and RCEs that may be exploited.
  • Isolate external network segments from internal hosts by ensuring that external network segments have no access to internal hosts.
  • The /tmp/ directories of linux must be disabled or limited in execution.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a...

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals...

Sophisticated Phishing Attack Targeting Ukraine Military Sectors

The Ukrainian Cyber Emergency Response Team discovered a targeted phishing campaign launched by UAC-0215...

Chinese Hackers Attacking Microsoft Customers With Sophisticated Password Spray Attacks

Researchers have identified a network of compromised devices, CovertNetwork-1658, used by Chinese threat actors...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a...

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals...

Sophisticated Phishing Attack Targeting Ukraine Military Sectors

The Ukrainian Cyber Emergency Response Team discovered a targeted phishing campaign launched by UAC-0215...