Home » EnemyBot malware adds new exploits to target CMS servers and Android devices

EnemyBot malware adds new exploits to target CMS servers and Android devices

by Security Affairs
0 comment

The operators of the EnemyBot botnet added exploits for recently disclosed flaws in VMware, F5 BIG-IP, and Android systems.

Operators behind the EnemyBot botnet are expanding the list of potential targets adding exploits for recently disclosed critical vulnerabilities in from VMware, F5 BIG-IP, and Android.

The botnet was first discovered by Fortinet in March, the DDoS botnet targeted several routers and web servers by exploiting known vulnerabilities. The botnet targets multiple architectures, including arm, bsd, x64, and x86.

The researchers attribute the botnet to the cybercrime group Keksec which focuses on DDoS-based extortion. Upon installing the threat, the bot drops a file in /tmp/.pwned, containing a message that attributes itself to Keksec. The message was stored as cleartext in earlier samples, new samples were released with the message encoded with an XOR operation using a multiple-byte key.

Experts pointed out that the malware is being actively developed.

The Enemybot botnet borrows the code from the Gafgyt bot and re-used some codes from the infamous Mirai botnet. Gafgyt is a popular choice for launching large-scale DDoS attacks, it first appeared in the threat landscape in 2014. The botnet implements multiple obfuscation techniques to avoid detection and hides C2 on the Tor network.

The Enemybot botnet employs several methods to spread and targets other IoT devices. It uses a list of hardcoded username/password combinations to login into devices in the attempt to access systems using weak or default credentials. The bot also tries to run shell commands to infect misconfigured Android devices that expose the Android Debug Bridge port (5555).

The first version of the bot exploits tens of known vulnerabilities including:

CVE-2020-17456 vulnerability affecting SEOWON INTECH SLC-130 and SLR-120S routers;

CVE-2018-10823 flaw an older D-Link routers (DWR-116 through 1.06, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, DWR-111 through 1.01).

CVE-2022-27226 affecting iRZ mobile routers;

CVE-2022-25075 to 25084: Targets TOTOLINK routers, previously exploited by the Beastmode botnet

CVE-2021-44228/2021-45046: Better known as Log4j, more details are available on our Fortinet PSIRT blog

CVE-2021-41773/CVE-2021-42013: Targets Apache HTTP servers

CVE-2018-20062: Targets ThinkPHP CMS

CVE-2017-18368: Targets Zyxel P660HN routers

CVE-2016-6277: Targets NETGEAR routers

CVE-2015-2051: Targets D-Link routers

CVE-2014-9118: Targets Zhone routers

NETGEAR DGN1000 exploit (No CVE assigned): Targets NETGEAR routers

Now researchers from AT&T Alien Labs analyzed the latest variants of the EnemyBot bot and discovered that it included exploits for 24 vulnerabilities, including issues that don’t even have a CVE number.

“We have also listed the current vulnerabilities EnemyBot uses. As mentioned, some of them have not been assigned a CVE yet.” states the report published by AT&T Alien Labs.

CVE Number

Affected devices

CVE-2021-44228, CVE-2021-45046




No CVE (vulnerability published on 2022-02)

Adobe ColdFusion 11 RCE


Liferay Portal – Java Unmarshalling via JSONWS RCE

No CVE (vulnerability published on 2022-04)

PHP Scriptcase 9.7 RCE


Zyxel NWA-1100-NH Command injection

No CVE (vulnerability published on 2022-04)

Razar Sila – Command injection


Spring Cloud Gateway – Code injection vulnerability


VMWare Workspace One RCE

CVE-2021-36356, CVE-2021-35064

Kramer VIAware RCE

No CVE (vulnerability published on 2022-03)

WordPress Video Synchro PDF plugin LFI

No CVE (vulnerability published on 2022-02)

Dbltek GoIP LFI

No CVE(vulnerability published on 2022-03)

WordPress Cab Fare Calculator plugin LFI

No CVE(vulnerability published on 2022-03)

Archeevo 5.0 LFI


Fuel CMS 1.4.1 RCE



No CVE (vulnerability published on 2019)

ThinkPHP 5.X RCE

No CVE (vulnerability published on 2017)

Netgear DGN1000 ‘Setup.cgi’ RCE


TOTOLink A3000RU command injection vulnerability


D-Link devices – HNAP SOAPAction – Header command injection vulnerability


ZHOME < S3.0.501 RCE


Zyxel P660HN – unauthenticated command injection


Seowon SLR 120 router RCE


D-Link DWR command injection in various models

The new variant of the bot includes exploits for the following security issues:

CVE-2022-22954: Critical RCE flaw in VMware Workspace ONE Access and VMware Identity Manager.

CVE-2022-22947: RCE flaw in Spring.

CVE-2022-1388: Critical RCE flaw in F5 BIG-IP.

AT&T researchers reported the availability of the EnemyBot source code on GitHub, this means that threat actors can modify it to create their own version of the bot.

Researchers recommend properly configuring the firewall to protect the devices exposed online, enable automatic updates, and monitor network traffic.

“Keksec’s EnemyBot appears to be just starting to spread, however due to the authors’ rapid updates, this botnet has the potential to become a major threat for IoT devices and web servers. The malware can quickly adopt one-day vulnerabilities (within days of a published proof of concept).” concludes the report. “This indicates that the Keksec group is well resourced and that the group has developed the malware to take advantage of vulnerabilities before they are patched, thus increasing the speed and scale at which it can spread.”

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit:


Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, EnemyBot)

The post EnemyBot malware adds new exploits to target CMS servers and Android devices appeared first on Security Affairs.

You may also like

Leave a Comment


Cybernonstop is created to bring news and knowledge through articles to visitors.

Do not forget to subscribe.

Laest News

@2021 – All Right Reserved. Designed and Developed by PenciDesign