Thursday, March 28, 2024

A New Linux-based Botnet Targeting Vulnerabilities in Web Servers & Android Servers

Currently, a new botnet extends its reach with the help of code originating from various pieces of malware. The company is doing so by rapidly adding exploits for several vulnerabilities recently identified in the following things:-

  • Web servers
  • Content management systems
  • IoT
  • Android devices

As of March, when the latest analysis of the botnet emerged, a research team at Securonix discovered this botnet for the first time. 

After more recent research by Securonix in March, Fortinet discovered newer samples of it in April. Currently, there are more than a dozen chip architectures with vulnerabilities, and more are in the works.

This botnet contains several modules for scanning for new targets and infecting them, which allow the malware to make distributed denial-of-service attacks.

In the early stages of the attack, the first targets included the routers from Seowon Intech, D-Link, and iRZ. Moreover, it has been identified that EnemyBot is linked to a malicious actor known as Keksec that is also known as:-

  • Kek Security
  • Necro
  • FreakOut

EnemyBot’s Components

Several other botnets, including Mirai, Qbot, Zbot, Gafgyt, and LolFMe, are the origins of EnemyBot, which is capable of launching DDoS attacks. In terms of composition, it has four components, as evidenced by an analysis of the latest variant.

Here we have mentioned below all the four components of EnemyBot:-

  • A Python module that downloads dependencies and compiles the malware for different platforms based on the architecture that runs the OS.
  • The core botnet section.
  • To encrypt and decode the malware’s strings, there is an obfuscation segment that is designed to do that.
  • Using the command-and-control features, one can receive attack commands and obtain additional payloads.

Addition of new variants

EnemyBot includes exploits for 24 vulnerabilities in its latest version. In more than half of these cases, the vulnerability is critical, but there are a few that don’t even have a CVE number, which makes it more challenging to patch the vulnerability.

AT&T Alien Labs found exploits for a new variant of the Trojan that was analyzed. The exploits involved the following security vulnerabilities:-

  • CVE-2022-22954: A remote code execution flaw impacting VMware Workspace ONE Access and VMware Identity Manager.
  • CVE-2022-22947: A remote code execution flaw in Spring.
  • CVE-2022-1388: A remote code execution flaw impacting F5 BIG-IP, threatening vulnerable endpoints with device takeover.

RSHELL command

A newer version of the malware appears to support a wider variety of commands, but RSHELL stands out as one of its features.

An infected system can be made vulnerable by using this command on an infected system. Threat actors gain access to compromised systems by bypassing firewalls with the help of this.

It was not a coincidence that the threat actors released the source code of EnemyBot, making it available to anyone wanting to use it against them.

Recommendations

Here below we have mentioned all the recommendations:-

  • Make sure that the systems are fully patched and that they are not susceptible to RCE.
  • In order to reduce the likelihood of external exploitation, firmware patches must be applied to all IoT devices.
  • By using layer-7 network monitoring and detection, you can detect common exploits and RCEs that may be exploited.
  • Isolate external network segments from internal hosts by ensuring that external network segments have no access to internal hosts.
  • The /tmp/ directories of linux must be disabled or limited in execution.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles