![]() To perform these functions, the malware randomly scans IP addresses and when it gets a response via SYN/ACK, EnemyBot then scans for vulnerabilities on the remote server by executing multiple exploits. EnemyBot calls for a new function “webscan_xywz”. In new variants of EnemyBot, the malware added a webscan function containing a total of 24 exploits to attack vulnerabilities of different devices and web servers (see figure 8).įigure 8. However, the malware also has DDoS capabilities and can receive commands to download and execute new code (modules) from its operators that give the malware more functionality. Most of EnemyBot functionality relates to the malware’s spreading capabilities, as well as its ability to scan public-facing assets and look for vulnerable devices. It can control and send commands to infected machines. C&C will be executed on a dedicated machine that is controlled by the attacker. For that, the malware is using a simple swap table, in which each char is replaced with a corresponding char in the table (see in figure 6).įigure 7 shows the command-and-control component (C&C) botnet controller. This module is compiled and manually executed to encode / decode the malware’s strings by the attacker to hide strings in binary. Though it is missing the main exploitation function, it includes all other functionality of the malware and the attacks the bot supports by mixing the various botnet source codes as mentioned above (Mirai, Qbot, and Zbot) - mainly Mirai and Qbot (see figure 5). Generated `update.sh` file to spread EnemyBot on different architectures. Once compilation is complete, the script then creates a batch file ‘update.sh’ which is used by the bot as a downloader that is then delivered to any identified vulnerable targets to spread the malware.įigure 4. Compiling malware source code to macOS executable. This module is a Python script file that downloads all dependencies and compiles the malware into different OS architectures including x86, ARM, macOS, OpenBSD, PowerPC, MIPS, and more (see figure 3)įigure 3. The malware repository on Github contains four main sections: cc7.py ![]() The individual states their workplace as “Kek security,” implying a potential relationship with the broader Keksec group (see figure 2).įigure 2. ![]() The developer of the Github page on EnemyBot self describes as a “full time malware dev,” that is also available for contract work.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |