Home » EnemyBot malware adds new exploits to target CMS servers and Android devices

EnemyBot malware adds new exploits to target CMS servers and Android devices

by Security Affairs
0 comment

The operators of the EnemyBot botnet added exploits for recently disclosed flaws in VMware, F5 BIG-IP, and Android systems.

Operators behind the EnemyBot botnet are expanding the list of potential targets adding exploits for recently disclosed critical vulnerabilities in from VMware, F5 BIG-IP, and Android.

The botnet was first discovered by Fortinet in March, the DDoS botnet targeted several routers and web servers by exploiting known vulnerabilities. The botnet targets multiple architectures, including arm, bsd, x64, and x86.

The researchers attribute the botnet to the cybercrime group Keksec which focuses on DDoS-based extortion. Upon installing the threat, the bot drops a file in /tmp/.pwned, containing a message that attributes itself to Keksec. The message was stored as cleartext in earlier samples, new samples were released with the message encoded with an XOR operation using a multiple-byte key.

Experts pointed out that the malware is being actively developed.

The Enemybot botnet borrows the code from the Gafgyt bot and re-used some codes from the infamous Mirai botnet. Gafgyt is a popular choice for launching large-scale DDoS attacks, it first appeared in the threat landscape in 2014. The botnet implements multiple obfuscation techniques to avoid detection and hides C2 on the Tor network.

The Enemybot botnet employs several methods to spread and targets other IoT devices. It uses a list of hardcoded username/password combinations to login into devices in the attempt to access systems using weak or default credentials. The bot also tries to run shell commands to infect misconfigured Android devices that expose the Android Debug Bridge port (5555).

The first version of the bot exploits tens of known vulnerabilities including:

CVE-2020-17456 vulnerability affecting SEOWON INTECH SLC-130 and SLR-120S routers;

CVE-2018-10823 flaw an older D-Link routers (DWR-116 through 1.06, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, DWR-111 through 1.01).

CVE-2022-27226 affecting iRZ mobile routers;

CVE-2022-25075 to 25084: Targets TOTOLINK routers, previously exploited by the Beastmode botnet

CVE-2021-44228/2021-45046: Better known as Log4j, more details are available on our Fortinet PSIRT blog

CVE-2021-41773/CVE-2021-42013: Targets Apache HTTP servers

CVE-2018-20062: Targets ThinkPHP CMS

CVE-2017-18368: Targets Zyxel P660HN routers

CVE-2016-6277: Targets NETGEAR routers

CVE-2015-2051: Targets D-Link routers

CVE-2014-9118: Targets Zhone routers

NETGEAR DGN1000 exploit (No CVE assigned): Targets NETGEAR routers

Now researchers from AT&T Alien Labs analyzed the latest variants of the EnemyBot bot and discovered that it included exploits for 24 vulnerabilities, including issues that don’t even have a CVE number.

“We have also listed the current vulnerabilities EnemyBot uses. As mentioned, some of them have not been assigned a CVE yet.” states the report published by AT&T Alien Labs.

CVE Number

Affected devices

CVE-2021-44228, CVE-2021-45046

Log4J RCE

CVE-2022-1388

F5 BIG IP RCE

No CVE (vulnerability published on 2022-02)

Adobe ColdFusion 11 RCE

CVE-2020-7961

Liferay Portal – Java Unmarshalling via JSONWS RCE

No CVE (vulnerability published on 2022-04)

PHP Scriptcase 9.7 RCE

CVE-2021-4039

Zyxel NWA-1100-NH Command injection

No CVE (vulnerability published on 2022-04)

Razar Sila – Command injection

CVE-2022-22947

Spring Cloud Gateway – Code injection vulnerability

CVE-2022-22954

VMWare Workspace One RCE

CVE-2021-36356, CVE-2021-35064

Kramer VIAware RCE

No CVE (vulnerability published on 2022-03)

WordPress Video Synchro PDF plugin LFI

No CVE (vulnerability published on 2022-02)

Dbltek GoIP LFI

No CVE(vulnerability published on 2022-03)

WordPress Cab Fare Calculator plugin LFI

No CVE(vulnerability published on 2022-03)

Archeevo 5.0 LFI

CVE-2018-16763

Fuel CMS 1.4.1 RCE

CVE-2020-5902

F5 BigIP RCE

No CVE (vulnerability published on 2019)

ThinkPHP 5.X RCE

No CVE (vulnerability published on 2017)

Netgear DGN1000 1.1.00.48 ‘Setup.cgi’ RCE

CVE-2022-25075

TOTOLink A3000RU command injection vulnerability

CVE-2015-2051

D-Link devices – HNAP SOAPAction – Header command injection vulnerability

CVE-2014-9118

ZHOME < S3.0.501 RCE

CVE-2017-18368

Zyxel P660HN – unauthenticated command injection

CVE-2020-17456

Seowon SLR 120 router RCE

CVE-2018-10823

D-Link DWR command injection in various models

The new variant of the bot includes exploits for the following security issues:

CVE-2022-22954: Critical RCE flaw in VMware Workspace ONE Access and VMware Identity Manager.

CVE-2022-22947: RCE flaw in Spring.

CVE-2022-1388: Critical RCE flaw in F5 BIG-IP.

AT&T researchers reported the availability of the EnemyBot source code on GitHub, this means that threat actors can modify it to create their own version of the bot.

Researchers recommend properly configuring the firewall to protect the devices exposed online, enable automatic updates, and monitor network traffic.

“Keksec’s EnemyBot appears to be just starting to spread, however due to the authors’ rapid updates, this botnet has the potential to become a major threat for IoT devices and web servers. The malware can quickly adopt one-day vulnerabilities (within days of a published proof of concept).” concludes the report. “This indicates that the Keksec group is well resourced and that the group has developed the malware to take advantage of vulnerabilities before they are patched, thus increasing the speed and scale at which it can spread.”

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit:

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, EnemyBot)

The post EnemyBot malware adds new exploits to target CMS servers and Android devices appeared first on Security Affairs.

You may also like

Leave a Comment

CyberNonStop

Cybernonstop is created to bring news and knowledge through articles to visitors.

Do not forget to subscribe.

Laest News

@2021 – All Right Reserved. Designed and Developed by PenciDesign