10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
A threat group that pursues crypto mining and distributed denial-of-service (DDoS) attacks has been linked to a new botnet called Enemybot, which has been discovered enslaving routers and Internet of Things (IoT) devices since last month.
βThis botnet is mainly derived from Gafgytβs source code but has been observed to borrow several modules from Miraiβs original source code,β Fortinet FortiGuard Labs said in a report this week.
The botnet has been attributed to an actor named Keksec (aka Kek Security, Necro, and FreakOut), which has been linked to multiple botnets such as Simps, Ryuk (not to be confused with the ransomware of the same name), and Samael, and has a history of targeting cloud infrastructure to carry out crypto mining and DDoS operations.
Primarily targeting routers from Seowon Intech, D-Link, and iRZ to propagate its infections and grow in volume, an analysis of the malware specimen has highlighted Enemybotβs obfuscation attempts to hinder analysis and connect to a remote server thatβs hosted in the Tor anonymity network to fetch attack commands.
Enemybot, like the other botnet malware, is the result of combining and modifying the source code of Mirai and Gafgyt, with the latest version using the formerβs scanner and bot killer modules that are used to scan and terminate competitor processes running on the same devices.
Some of the n-day vulnerabilities used by the botnet to infect more devices are as follows -
Fortinet also pointed out its overlaps with Gafgyt_tor, suggesting that βEnemybot is likely an updated and βrebrandedβ variant of Gafgyt_tor.β
The disclosure comes as researchers from Qihoo 360βs Network Security Research Lab (360 Netlab) detailed a rapidly spreading DDoS botnet called Fodcha that has ensnared more than 10,000 daily active bots, cumulatively infecting over 62,000 unique bots from March 29 to April 10, 2022.
Fodcha has been observed spreading through known vulnerabilities in Android, GitLab (CVE-2021-22205), Realtek Jungle SDK (CVE-2021-35394), digital video recorders from MVPower, LILIN, and routers from TOTOLINK and ZHONE.
Found this article interesting? Follow THN on Facebook, Twitter ο and LinkedIn to read more exclusive content we post.
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C