EnemyBot (Botnet) – Malware

Overview

In March 2022, cybersecurity researchers at FortiGuard Labs identified a new and highly potent DDoS botnet named Enemybot, attributed to the notorious threat group Keksec. The botnet quickly gained attention due to its sophisticated features and its ability to target a wide range of vulnerable devices, from common Internet of Things (IoT) devices to desktop and server systems. What sets Enemybot apart from other botnets is its hybrid nature, incorporating code from both the long-standing Gafgyt and Mirai botnets. This combination makes Enemybot a versatile and formidable player in the ever-evolving world of cyber threats, capable of executing a range of malicious activities from Distributed Denial-of-Service (DDoS) attacks to cryptojacking operations.

The botnet operates through a modular design, allowing it to adapt and execute different attack strategies depending on the target environment. Once it successfully compromises a device, Enemybot uses a variety of methods to obfuscate its presence, making it harder for security researchers to analyze and mitigate. Additionally, it takes advantage of multiple known vulnerabilities in popular networking devices, including routers from brands such as Seowon Intech and D-Link, which enables it to spread rapidly across a large number of devices. The malware’s ability to exploit these weaknesses underscores the growing risks associated with IoT and other networked devices, many of which are often poorly secured and remain vulnerable to such botnet-driven exploits.

Targets

Individuals

Information

How they operate

Infection Methods and Targeted Devices

Enemybot is engineered to target multiple device architectures, increasing its scope and ensuring it can spread across a wide range of systems. These architectures include ARM, x64, BSD, macOS (Darwin), and other common IoT platforms. By using a combination of hardcoded credentials and vulnerabilities in routers, Enemybot is capable of infecting devices across several platforms, including desktops, servers, and IoT devices. One of its most notable infection techniques is exploiting known vulnerabilities in networking devices. These include critical flaws like CVE-2020-17456, which targets SEOWON INTECH routers, and CVE-2018-10823, which affects D-Link routers. These exploits allow Enemybot to execute arbitrary commands on vulnerable devices, giving it complete control over the compromised systems.

Once the malware successfully infects a device, it drops a file in the /tmp/.pwned directory, containing a message that attributes the attack to Keksec. In its earlier versions, this message appeared in cleartext, but later versions employed XOR encoding using a multi-byte key to further obscure the message. This shift in encoding methods suggests that the malware is actively being developed, with its creators taking steps to make analysis more difficult.

Obfuscation Techniques

Enemybot employs multiple obfuscation techniques to prevent detection and analysis. The malware obfuscates strings using different methods, which complicates reverse engineering efforts. For example, its Command-and-Control (C2) domain is XOR-encoded with a multi-byte key, making it harder for security tools to detect communication with the malware. Additionally, Enemybot uses single-byte XOR encoding with a key of 0x22 for credentials and bot killer keywords. These techniques, while not extremely complex, provide a layer of protection against automated analysis tools.

Another layer of obfuscation comes in the form of command encryption. Enemybot uses a substitution cipher to alter commands before they are sent, swapping one character for another to hide the actual payload. Some strings are also obfuscated by simply adding a fixed number to the ASCII values of characters. While these methods are not particularly sophisticated, they are sufficient to hide the malware from casual observers and other botnets that may be running on the same device. This evasion strategy helps Enemybot maintain its persistence and minimize the likelihood of being detected or removed.

Bot Killer Module

To further protect its operations, Enemybot includes a bot killer module. This module is specifically designed to identify and terminate any competing botnets running on the infected device. The bot killer searches for processes started from specific file paths or containing certain keywords in their memory. The malware contains a list of over 60 keywords, enhancing its ability to detect and kill rival botnets such as Mirai. By doing so, Enemybot ensures that it remains the dominant malware on the device, preserving resources for its DDoS and other malicious activities.

Communication with Command-and-Control (C2) Servers

Enemybot connects to C2 servers hidden within the Tor network, making it more difficult for researchers to track and disrupt its operations. The use of Tor adds an additional layer of anonymity for the attackers, allowing them to control the botnet without revealing their physical location or identity. The malware uses encrypted communication with these C2 servers, sending and receiving commands to control the infected devices. This communication is essential for the botnet’s operation, as it allows the attackers to issue commands for launching DDoS attacks or directing the bots to perform other malicious actions, such as cryptojacking.

Spreading Mechanisms

Enemybot employs multiple methods to spread across networks and infect as many devices as possible. One of the key techniques involves brute-forcing SSH login credentials, which is a method borrowed from the Mirai botnet. The malware uses a list of hardcoded username and password combinations to attempt login on devices with weak or default credentials. Another spreading method targets misconfigured Android devices by attempting to exploit the exposed Android Debug Bridge (ADB) port (5555). This vulnerability allows Enemybot to run arbitrary shell commands, gaining access to Android devices and adding them to its botnet.

Conclusion

Enemybot’s technical design showcases an evolution of botnet tactics, borrowing key features from previous botnets like Gafgyt and Mirai while introducing new methods for evasion, persistence, and spreading. Its ability to target a wide range of devices, employ advanced obfuscation techniques, and evade detection through Tor-based C2 communication makes it a potent threat. By understanding the intricate methods Enemybot uses to infiltrate and control devices, security professionals can better prepare for future attacks, improving defenses against botnets and reducing the potential damage caused by such threats. As malware continues to evolve, so too must our strategies for detection and mitigation.

References:

• Enemybot: A Look into Keksec’s Latest DDoS Botnet