A New Linux-based Botnet Targeting Vulnerabilities in Web Servers & Android Servers

Currently, a new botnet extends its reach with the help of code originating from various pieces of malware. The company is doing so by rapidly adding exploits for several vulnerabilities recently identified in the following things:-

  • Web servers
  • Content management systems
  • IoT
  • Android devices

As of March, when the latest analysis of the botnet emerged, a research team at Securonix discovered this botnet for the first time. 

After more recent research by Securonix in March, Fortinet discovered newer samples of it in April. Currently, there are more than a dozen chip architectures with vulnerabilities, and more are in the works.

This botnet contains several modules for scanning for new targets and infecting them, which allow the malware to make distributed denial-of-service attacks.

In the early stages of the attack, the first targets included the routers from Seowon Intech, D-Link, and iRZ. Moreover, it has been identified that EnemyBot is linked to a malicious actor known as Keksec that is also known as:-

  • Kek Security
  • Necro
  • FreakOut

EnemyBot’s Components

Several other botnets, including Mirai, Qbot, Zbot, Gafgyt, and LolFMe, are the origins of EnemyBot, which is capable of launching DDoS attacks. In terms of composition, it has four components, as evidenced by an analysis of the latest variant.

Here we have mentioned below all the four components of EnemyBot:-

  • A Python module that downloads dependencies and compiles the malware for different platforms based on the architecture that runs the OS.
  • The core botnet section.
  • To encrypt and decode the malware’s strings, there is an obfuscation segment that is designed to do that.
  • Using the command-and-control features, one can receive attack commands and obtain additional payloads.

Addition of new variants

EnemyBot includes exploits for 24 vulnerabilities in its latest version. In more than half of these cases, the vulnerability is critical, but there are a few that don’t even have a CVE number, which makes it more challenging to patch the vulnerability.

AT&T Alien Labs found exploits for a new variant of the Trojan that was analyzed. The exploits involved the following security vulnerabilities:-

  • CVE-2022-22954: A remote code execution flaw impacting VMware Workspace ONE Access and VMware Identity Manager.
  • CVE-2022-22947: A remote code execution flaw in Spring.
  • CVE-2022-1388: A remote code execution flaw impacting F5 BIG-IP, threatening vulnerable endpoints with device takeover.

RSHELL command

A newer version of the malware appears to support a wider variety of commands, but RSHELL stands out as one of its features.

An infected system can be made vulnerable by using this command on an infected system. Threat actors gain access to compromised systems by bypassing firewalls with the help of this.

It was not a coincidence that the threat actors released the source code of EnemyBot, making it available to anyone wanting to use it against them.


Here below we have mentioned all the recommendations:-

  • Make sure that the systems are fully patched and that they are not susceptible to RCE.
  • In order to reduce the likelihood of external exploitation, firmware patches must be applied to all IoT devices.
  • By using layer-7 network monitoring and detection, you can detect common exploits and RCEs that may be exploited.
  • Isolate external network segments from internal hosts by ensuring that external network segments have no access to internal hosts.
  • The /tmp/ directories of linux must be disabled or limited in execution.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Leave a Reply