Threat Research

Enemybot: A Look into Keksec’s Latest DDoS Botnet | FortiGuard Labs

Securonix

FortiGuard Labs observed a new DDoS botnet named Enemybot, attributed to Keksec, that borrows code from Gafgyt and Mirai while using obfuscation and a Tor-hidden C2 to complicate takedowns. It targets routers from Seowon Intech and D-Link and leverages a wide range of exploits across multiple architectures, with dynamic update capabilities via its C2.
#Enemybot #Keksec #Gafgyt #Mirai #SeowonIntech #DLink #iRZ #CVE2022-27226 #TOTOLINK

Keypoints

  • Enemybot is a Keksec-associated DDoS botnet derived from Gafgyt’s source and borrowing modules from Mirai.
  • It obfuscates strings to hinder analysis and hides its C2 with Tor network integration.
  • The malware targets Seowon Intech and D-Link routers and exploits a range of CVEs (including CVE-2020-17456 and others) to propagate.
  • Enemybot infects multiple architectures (ARM, x64, MIPS, BSD, Darwin, etc.), expanding beyond typical IoT devices.
  • Propagation uses hardcoded credentials, Android ADB (port 5555), and various exploits; it dynamically updates its download URL via the C2 using LDSERVER.
  • After exploitation, update.sh downloads architecture-specific binaries; the bot continues to add new exploits and can potentially be used for cryptomining in the future.

MITRE Techniques

  • [T1090.003] Proxy – C2 over Tor network. Brief description: The bot connects to a command-and-control server hidden in the Tor network. Quote: “The C2 server hides in the Tor network”.
  • [T1190] Exploit Public-Facing Application – Exploit router vulnerabilities (e.g., CVEs) to gain initial access. Brief description: CVE-2020-17456 and other router/application exploits are used to inject commands. Quote: “This vulnerability allows an attacker to execute a command by adding a crontab entry … [Figure 7].”
  • [T1059.004] Unix Shell – Use of shell commands to propagate and execute payloads on Linux-based devices. Brief description: Shell commands are used to infect misconfigured devices and run update.sh. Quote: “shell commands to infect misconfigured Android devices” and “The shell script update.sh then downloads…”
  • [T1105] Ingress Tool Transfer – Downloading binaries for each architecture after initial compromise. Brief description: The shell script downloads actual Enemybot binaries. Quote: “downloads the actual Enemybot binaries compiled for every architecture it targets and executes them.”
  • [T1027] Obfuscated/Compressed Files and Information – Obfuscation of strings and credentials. Brief description: XOR, substitution cipher, and simple encoding techniques are used to hide indicators. Quote: “obfuscates strings in a variety of ways…”; “Commands are encrypted with a substitution cipher…”
  • [T1090] Proxy – C2 domain uses Tor; content indicates the bot communicates via a Tor-based C2. Brief description: “C2 domain uses XOR encoding…; Tor network” Quote: No direct quote provided beyond the Tor reference in the article excerpt.

Indicators of Compromise

  • [Hash (SHA-256)] context – sample hashes observed in Enemybot samples. Example: 5260b9a859d936c5b8e0dd81c0238de136d1159e41f0b148f86e2555cf4a4e38, fec09b614d67e8933e2c09671e042ce74b40048b5f0feed49ba81a2c18d4f473, and 2 more hashes
  • [File name] context – update.sh used to fetch the architecture-specific binaries (code snippet shown). Example: update.sh, and 2 more files
  • [URL] context – download URLs used by Enemybot for payloads. Example: http://198[.]12[.]116[.]254/folder/enemybotarm, http://198[.]12[.]116[.]254/folder/update.sh
  • [IP Address] context – C2/download infrastructure hosted at an IP address. Example: 198.12.116.254 (obfuscated as 198[.]12[.]116[.]254), and 2 more addresses
  • [Domain] context – Tor-based C2 domain used for command-and-control. Example: xfrvkmokgfb2pajafphw3upl6gq2uurde7de7iexw4aajvslnsmev5id[.]onion

Read more: https://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet