IoT malware EnemyBot abuses critical VMware, F5 BIG-IP flaws

EnemyBot is fast integrating exploits for recently announced vulnerabilities to improve its capabilities.

Securonix researchers first uncovered EnemyBot, a malware strain targeting the internet of things (IoT), in March 2022. They and other researchers believe it to be distributed by the threat actor 'Keksec' - also known as Kek Security, Necro, and FreakOut - and linked to multiple botnets such as Simps and Samael.

Keksec has a history of attacking cloud infrastructure for crypto mining and DDoS exploits. Researchers have warned that EnemyBot is designed to carry out DDoS attacks.

However, new analysis from AT&T Alien Labs notes that EnemyBot is now expanding its reach by quickly incorporating exploits for recently disclosed critical flaws in web servers, Android devices and content management systems.

EnemyBot's newest variants contain exploits for 24 security weakness in various products.

The majority of these vulnerabilities are critical, but a few don't have a CVE number, making it more difficult for defenders to apply protections.

AT&T Alien Labs discovered exploits for the following security flaws in a new variant:

• CVE-2022-22954: a remote code execution (RCE) issue in VMware Workspace ONE Access and VMware Identity Manager. A proof of concept (PoC) exploit for the bug was released last month.
• CVE-2022-1388: An RCE weakness discovered in F5 BIG-IP, posing a danger of device takeover to susceptible endpoints. In May 2022, the first PoCs were discovered in the wild, and intensive exploitation started almost immediately.
• CVE-2022-22947: An RCE bug in Spring, which was fixed in March 2022, and was heavily targeted throughout April 2022.

The researchers said all of the commands from the previous version of EnemyBot are still available, giving hackers a wide range of options when it comes to DDoS attacks.

In addition, EnemyBot's basic source code has been shared on Github by someone presumably linked with Keksec, making it accessible to anybody who wants to use the malware.

EnemyBot's code is mostly taken from Gafgyt's source code, according to Fortinet FortiGuard Labs, although it also borrows numerous modules from Mirai's original source code.

Mirai is a notorious IoT and router malware, which has spread in various forms for the last five years. It has been responsible for some of the largest DDoS attacks ever seen.

Attack route

When a device is infected with EnemyBot, the malware connects to the C2 server and waits for commands to be executed, says FortiGuard.

Although the majority of the instructions are connected to DDoS attacks, the malware isn't limited to only them.

EnemyBot can target a variety of architectures, including the ubiquitous x86, x64, i686, arm, arm64, darwin and bsd, as well as the rarer and outdated ppc, m68k and spc.

Having such a wide attack surface is critical for the malware's ability to spread, since it can recognise the pivot point's architecture and retrieve the appropriate binary from the C2.

The following are some recommendations for defending against this sort of threat:

• Enable automatic updates to ensure that your software is up to date in terms of security

• Keep an eye on network activity, outbound port scans, and excessive bandwidth usage

• Use a properly configured firewall and maintain minimal exposure to Linux servers and IoT devices on the Internet

Earlier this month, Microsoft 365 Defender Research Team warned they had detected a 254% increase in the activity of stealthy Linux XorDdos malware over the past six months.

The growth in activity reflects the trend of malware increasingly targeting Linux-based operating systems, which are widely used in cloud infrastructure and IoT devices.