"EnemyBot Malware Targets Web Servers, CMS Tools and Android OS"

EnemyBot, a rapidly evolving IoT malware, is targeting content management systems (CMS), web servers, and Android devices.  Researchers at AT&T Alien labs believe that the threat actor group "Keksec" is behind the malware distribution.  The researchers stated that services such as VMware Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase, and more are being targeted as well as IoT and Android devices.  The researchers noted that the malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities.  After the researchers analyzed the malware's codebase, they found that EnemyBot borrows generously from code used by other botnets such as Mirai, Qbot, and Zbot.  The Keksec group distributes the malware by targeting Linux machines and IoT devices.  This threat group was formed back in 2016 and includes several botnet actors.  The researchers found four main sections of the malware.  The first section is a python script 'cc7.py', used to download all dependencies and compile the malware into different OS architectures (x86, ARM, macOS, OpenBSD, PowerPC, MIPS).  After compilation, the researchers noted that a batch file "update.sh" is created and used to spread the malware to vulnerable targets.  The second section is the main botnet source code, which includes all the other functionality of the malware, excluding the main part, and incorporates source codes of the various botnets that can combine to perform an attack.  The third module is obfuscation segment "hide.c" and is compiled and executed manually to encode/decode the malware strings.  The researchers noted that a simple swap table is used to hide strings, and "each char is replaced with a corresponding char in the table." The last segment includes a command-and-control (CC) component to receive vital actions and payloads from attackers.  After further analysis, the researchers revealed a new scanner function to hunt vulnerable IP addresses and an "adb_infect" function that is used to attack Android devices.  The researchers advise organizations to properly configure firewalls and focus on reducing Linux server and IOT devices' exposure to the internet.  The researchers also recommend organizations monitor the network traffic, scan the outbound ports and look for suspicious bandwidth usage.  Software should be updated automatically and patched with the latest security update.

Threatpost reports: "EnemyBot Malware Targets Web Servers, CMS Tools and Android OS"