This botnet is mainly derived from Gafgyt’s source code but has been observed to borrow several modules from Mirai’s original source code.
It uses several methods of obfuscation for its strings to hinder analysis and hide itself from other botnets. Furthermore, it connects to a command-and-control (C2) server that is hidden in the Tor network, making its takedown more complicated.
Enemybot has been seen targeting routers from Seowon Intech, D-Link, and exploits a recently reported iRZ router vulnerability to infect more devices.
This blog details how this malware leverages these vulnerabilities and the commands it can execute once inside an infected device.
Affected Platforms: Linux
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: Critical
One of the first things Enemybot does is to drop a file in /tmp/.pwned, containing a message that attributes itself to Keksec. In earlier samples, this message was stored as cleartext. Only a few days after, a new sample was released with the message encoded with an XOR operation using a multiple-byte key. This suggests that this malware is being actively developed.
A sample, SHA256: fec09b614d67e8933e2c09671e042ce74b40048b5f0feed49ba81a2c18d4f473, captured on March 24, 2022 has the message in cleartext:
A sample from March 28, 2022 SHA256: 93706966361922b493d816fa6ee1347c90de49b6d59fc01c033abdd6549ac8b9, encoded the message with an XOR operation using a multi-byte key.
Upon decoding, the message has also been changed to:
“ENEMEYBOT V3.1-ALCAPONE - hail KEKSEC, ALSO U GOT haCkED MY [REDACTED] (Your device literally has the security of a [shitty device] / [smart doorbell])”
Subsequently, FortiGuard Labs researchers discovered newer samples that reverted to the cleartext versions of the /tmp/.pwned message, which might suggest the possibility of multiple developers working with different versions of the codebase or having different programming habits.
Keksec is known for operating multiple botnets, some of which are based on Gafgyt (a.k.a. Bashlite). Gafgyt is a DDoS botnet whose source code was leaked way back in 2015.
In the case of Enemybot, although it is mainly based on Gafgyt, it was observed that some of its modules are clearly borrowed from Mirai’s source code. One of these is Enemybot’s scanner module as shown in the screenshots below.
Another module shared with Mirai is the bot killer module where it searches for any running processes started from certain file paths or with specific keywords in its process memory. It then terminates these processes. Enemybot enhances the original Mirai code with over sixty keywords to identify and kill off any competitors running on the same devices.
While researching this botnet, FortiGuard Labs observed that Enemybot shares several similarities with Gafgyt_tor previously reported by other researchers, and assessed that Enemybot is likely an updated and “rebranded” variant of Gafgyt_tor.
Infects Multiple Architectures
Like most botnets, this malware infects multiple architectures to increase its chances of infecting more devices. In addition to IoT devices, Enemybot also targets desktop/server architectures such as BSD, including Darwin (macOS), and x64.
Enemybot targets the following architectures:
Enemybot’s download server was previously misconfigured and displayed a list of ELF binaries for different architectures (Figure 3). Threat actors have fixed this at the time of writing.
While these obfuscation techniques are simplistic, they are sufficient to hide tell-tale indicators of its presence from casual analysis and other botnets. Most IoT botnets including Enemybot are known for searching for such indicators to terminate other botnets running on the same device.
Infecting More Devices
In terms of spreading, Enemybot uses several methods that have also been observed in other IoT botnet campaigns.
One way is using a list of hardcoded username/password combinations to login into devices configured with weak or default credentials. This is another module that was copied from Mirai’s source code.
This malware also tries to run shell commands to infect misconfigured Android devices that expose Android Debug Bridge port (5555).
The last method is to target devices with specific vulnerabilities as listed below:
D-Link provided updated firmware for some of the above-mentioned devices. It’s recommended to check and update these devices if they still have vulnerable versions.
This vulnerability allows an attacker to execute a command by adding a crontab entry in the infected device via the /api/crontab (Figure 7).
During the past few weeks, FortiGuard Labs researchers also observed different samples adding and removing exploits. A list of these exploits seen in use by Enemybot for propagation are as follows:
This mix of exploits targeting web servers and applications beyond the usual IoT devices, coupled with the wide range of supported architectures, might be a sign of Keksec testing the viability of expanding the botnet beyond low-resource IoT devices for more than just DDoS attacks. Based on their previous botnet operations, using them for cryptomining is a big possibility.
After a successful exploit, a shell command is executed to download another shell script from a URL. In most cases, particularly in Mirai-based botnets, this URL is hardcoded. In the case of Enemybot however, this URL is dynamically updated by the C2 server via the command LDSERVER. The clear advantage of this method is that when the download server is down for whatever reason, the botnet operators can just update the bot clients with a new URL.
The shell script update.sh then downloads the actual Enemybot binaries compiled for every architecture it targets and executes them.
Commands and DDoS capabilities
Once the bot gets installed on a victim’s device, it connects to its C2 server and waits for further commands. The C2 server hides in the Tor network and the bot tries to access the server using a hardcoded list of SOCKS proxy IPs.
This bot supports several commands listed in the following table.
Based on the analysis of FortiGuard Labs, Enemybot is Keksec’s latest tool for performing DDoS attacks.
To protect itself, it uses simple obfuscation techniques on its strings as well as hosting its C2 server in the Tor network, taking advantage of the network’s anonymity. It uses several techniques commonly found in other DDoS botnet malware to infect other devices.
Seeing how this malware has undergone changes during the research for this article, we expect that more updated versions will be distributed in the wild soon.
FortiGuard Labs will keep monitoring this botnet.
Fortinet customers are protected by the following:
FortiGuard IP Reputation & Anti-Botnet Security Service proactively blocks these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.
FortiGuard Application Control Service provides organizations the capability to monitor or block access to malicious, risky, or unwanted applications. Customers without specific business requirements for Tor can refer to these Fortinet Technical Tips for blocking inbound and outbound Tor traffic using the Application Control Service.
xfrvkmokgfb2pajafphw3upl6gq2uurde7de7iexw4aajvslnsmev5id[.]onion (Tor network)