Saturday, April 13, 2024

A New Linux-based Botnet Targeting Vulnerabilities in Web Servers & Android Servers

Currently, a new botnet extends its reach with the help of code originating from various pieces of malware. The company is doing so by rapidly adding exploits for several vulnerabilities recently identified in the following things:-

  • Web servers
  • Content management systems
  • IoT
  • Android devices

As of March, when the latest analysis of the botnet emerged, a research team at Securonix discovered this botnet for the first time. 

After more recent research by Securonix in March, Fortinet discovered newer samples of it in April. Currently, there are more than a dozen chip architectures with vulnerabilities, and more are in the works.

This botnet contains several modules for scanning for new targets and infecting them, which allow the malware to make distributed denial-of-service attacks.

In the early stages of the attack, the first targets included the routers from Seowon Intech, D-Link, and iRZ. Moreover, it has been identified that EnemyBot is linked to a malicious actor known as Keksec that is also known as:-

  • Kek Security
  • Necro
  • FreakOut

EnemyBot’s Components

Several other botnets, including Mirai, Qbot, Zbot, Gafgyt, and LolFMe, are the origins of EnemyBot, which is capable of launching DDoS attacks. In terms of composition, it has four components, as evidenced by an analysis of the latest variant.

Here we have mentioned below all the four components of EnemyBot:-

  • A Python module that downloads dependencies and compiles the malware for different platforms based on the architecture that runs the OS.
  • The core botnet section.
  • To encrypt and decode the malware’s strings, there is an obfuscation segment that is designed to do that.
  • Using the command-and-control features, one can receive attack commands and obtain additional payloads.

Addition of new variants

EnemyBot includes exploits for 24 vulnerabilities in its latest version. In more than half of these cases, the vulnerability is critical, but there are a few that don’t even have a CVE number, which makes it more challenging to patch the vulnerability.

AT&T Alien Labs found exploits for a new variant of the Trojan that was analyzed. The exploits involved the following security vulnerabilities:-

  • CVE-2022-22954: A remote code execution flaw impacting VMware Workspace ONE Access and VMware Identity Manager.
  • CVE-2022-22947: A remote code execution flaw in Spring.
  • CVE-2022-1388: A remote code execution flaw impacting F5 BIG-IP, threatening vulnerable endpoints with device takeover.

RSHELL command

A newer version of the malware appears to support a wider variety of commands, but RSHELL stands out as one of its features.

An infected system can be made vulnerable by using this command on an infected system. Threat actors gain access to compromised systems by bypassing firewalls with the help of this.

It was not a coincidence that the threat actors released the source code of EnemyBot, making it available to anyone wanting to use it against them.


Here below we have mentioned all the recommendations:-

  • Make sure that the systems are fully patched and that they are not susceptible to RCE.
  • In order to reduce the likelihood of external exploitation, firmware patches must be applied to all IoT devices.
  • By using layer-7 network monitoring and detection, you can detect common exploits and RCEs that may be exploited.
  • Isolate external network segments from internal hosts by ensuring that external network segments have no access to internal hosts.
  • The /tmp/ directories of linux must be disabled or limited in execution.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

Alert! Palo Alto RCE Zero-day Vulnerability Actively Exploited in the Wild

In a recent security bulletin, Palo Alto Networks disclosed a critical vulnerability in its...

6-year-old Lighttpd Flaw Impacts Intel And Lenovo Servers

The software supply chain is filled with various challenges, such as untracked security vulnerabilities...

Hackers Employ Deepfake Technology To Impersonate as LastPass CEO

A LastPass employee recently became the target of an attempted fraud involving sophisticated audio...

Sisence Data Breach, CISA Urges To Reset Login Credentials

In response to a recent data breach at Sisense, a provider of data analytics...

DuckDuckGo Launches Privacy Pro: 3-in-1 service With VPN

DuckDuckGo has launched Privacy Pro, a new subscription service that promises to enhance user...

Cyber Attack Surge by 28%:Education Sector at High Risk

In Q1 2024, Check Point Research (CPR) witnessed a notable increase in the average...

Midnight Blizzard’s Microsoft Corporate Email Hack Threatens Federal Agencies: CISA Warns

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive concerning a...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Top 3 SME Attack Vectors

Securing the Top 3 SME Attack Vectors

Cybercriminals are laying siege to small-to-medium enterprises (SMEs) across sectors. 73% of SMEs know they were breached in 2023. The real rate could be closer to 100%.

  • Stolen credentials
  • Phishing
  • Exploitation of vulnerabilities

Related Articles