Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

EnemyBot (Botnet) – Malware

March 2, 2025
Reading Time: 4 mins read
in Malware
EnemyBot (Botnet) – Malware

EnemyBot

Type of Malware

Botnet

Date of Initial Activity

2022

Associated Groups

KekSec

Motivation

Financial Gain

Attack Vectors

Credential-based Attacks
Software Vulnerabilities

Targeted Systems

Linux

Overview

In March 2022, cybersecurity researchers at FortiGuard Labs identified a new and highly potent DDoS botnet named Enemybot, attributed to the notorious threat group Keksec. The botnet quickly gained attention due to its sophisticated features and its ability to target a wide range of vulnerable devices, from common Internet of Things (IoT) devices to desktop and server systems. What sets Enemybot apart from other botnets is its hybrid nature, incorporating code from both the long-standing Gafgyt and Mirai botnets. This combination makes Enemybot a versatile and formidable player in the ever-evolving world of cyber threats, capable of executing a range of malicious activities from Distributed Denial-of-Service (DDoS) attacks to cryptojacking operations. The botnet operates through a modular design, allowing it to adapt and execute different attack strategies depending on the target environment. Once it successfully compromises a device, Enemybot uses a variety of methods to obfuscate its presence, making it harder for security researchers to analyze and mitigate. Additionally, it takes advantage of multiple known vulnerabilities in popular networking devices, including routers from brands such as Seowon Intech and D-Link, which enables it to spread rapidly across a large number of devices. The malware’s ability to exploit these weaknesses underscores the growing risks associated with IoT and other networked devices, many of which are often poorly secured and remain vulnerable to such botnet-driven exploits.

Targets

Individuals Information

How they operate

Infection Methods and Targeted Devices
Enemybot is engineered to target multiple device architectures, increasing its scope and ensuring it can spread across a wide range of systems. These architectures include ARM, x64, BSD, macOS (Darwin), and other common IoT platforms. By using a combination of hardcoded credentials and vulnerabilities in routers, Enemybot is capable of infecting devices across several platforms, including desktops, servers, and IoT devices. One of its most notable infection techniques is exploiting known vulnerabilities in networking devices. These include critical flaws like CVE-2020-17456, which targets SEOWON INTECH routers, and CVE-2018-10823, which affects D-Link routers. These exploits allow Enemybot to execute arbitrary commands on vulnerable devices, giving it complete control over the compromised systems. Once the malware successfully infects a device, it drops a file in the /tmp/.pwned directory, containing a message that attributes the attack to Keksec. In its earlier versions, this message appeared in cleartext, but later versions employed XOR encoding using a multi-byte key to further obscure the message. This shift in encoding methods suggests that the malware is actively being developed, with its creators taking steps to make analysis more difficult.
Obfuscation Techniques
Enemybot employs multiple obfuscation techniques to prevent detection and analysis. The malware obfuscates strings using different methods, which complicates reverse engineering efforts. For example, its Command-and-Control (C2) domain is XOR-encoded with a multi-byte key, making it harder for security tools to detect communication with the malware. Additionally, Enemybot uses single-byte XOR encoding with a key of 0x22 for credentials and bot killer keywords. These techniques, while not extremely complex, provide a layer of protection against automated analysis tools. Another layer of obfuscation comes in the form of command encryption. Enemybot uses a substitution cipher to alter commands before they are sent, swapping one character for another to hide the actual payload. Some strings are also obfuscated by simply adding a fixed number to the ASCII values of characters. While these methods are not particularly sophisticated, they are sufficient to hide the malware from casual observers and other botnets that may be running on the same device. This evasion strategy helps Enemybot maintain its persistence and minimize the likelihood of being detected or removed.
Bot Killer Module
To further protect its operations, Enemybot includes a bot killer module. This module is specifically designed to identify and terminate any competing botnets running on the infected device. The bot killer searches for processes started from specific file paths or containing certain keywords in their memory. The malware contains a list of over 60 keywords, enhancing its ability to detect and kill rival botnets such as Mirai. By doing so, Enemybot ensures that it remains the dominant malware on the device, preserving resources for its DDoS and other malicious activities.
Communication with Command-and-Control (C2) Servers
Enemybot connects to C2 servers hidden within the Tor network, making it more difficult for researchers to track and disrupt its operations. The use of Tor adds an additional layer of anonymity for the attackers, allowing them to control the botnet without revealing their physical location or identity. The malware uses encrypted communication with these C2 servers, sending and receiving commands to control the infected devices. This communication is essential for the botnet’s operation, as it allows the attackers to issue commands for launching DDoS attacks or directing the bots to perform other malicious actions, such as cryptojacking.
Spreading Mechanisms
Enemybot employs multiple methods to spread across networks and infect as many devices as possible. One of the key techniques involves brute-forcing SSH login credentials, which is a method borrowed from the Mirai botnet. The malware uses a list of hardcoded username and password combinations to attempt login on devices with weak or default credentials. Another spreading method targets misconfigured Android devices by attempting to exploit the exposed Android Debug Bridge (ADB) port (5555). This vulnerability allows Enemybot to run arbitrary shell commands, gaining access to Android devices and adding them to its botnet.
Conclusion
Enemybot’s technical design showcases an evolution of botnet tactics, borrowing key features from previous botnets like Gafgyt and Mirai while introducing new methods for evasion, persistence, and spreading. Its ability to target a wide range of devices, employ advanced obfuscation techniques, and evade detection through Tor-based C2 communication makes it a potent threat. By understanding the intricate methods Enemybot uses to infiltrate and control devices, security professionals can better prepare for future attacks, improving defenses against botnets and reducing the potential damage caused by such threats. As malware continues to evolve, so too must our strategies for detection and mitigation.  
References:
  • Enemybot: A Look into Keksec’s Latest DDoS Botnet
Tags: BotnetD-LinkDDoSEnemyBotFortiGuardFortiGuard LabsKeksecLinuxMalwareVulnerabilities
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

GitLab Patch Stops Service Disruption Risks

3AM Ransomware Email Bomb and Vishing Threat

Function Confusion Hits Serverless Clouds

Venom Spiders More Eggs Malware Hits Hiring

Hazy Hawk Hijacks Cloud DNS For Web Scams

Fake Kling AI Sites Spread Malware To Users

Subscribe to our newsletter

    Latest Incidents

    Cyberattack Paralyzes French Hauts de Seine

    Santa Fe City Loses $324K In Hacker Scam

    Belgium Housing Hit by Ransomware Attack

    UK Peter Green Chilled Hit By Ransomware

    Cellcom Cyberattack Causes Service Outage

    Ohio Kettering Health Faces Cyberattack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial