Threat Watch

EnemyBot Borrows Code from Other Botnets

 A new and evolving malware called EnemyBot is targeting Content Management Systems (CMS), web servers, and Android devices. The malware is believed to be distributed by the threat actor group Keksec. A report from AT&T Alien Labs explains that the malware is using code from various botnets such as Mirai, Qbot, and Zbot. The malware is distributed by targeting Linux machines and Internet of Things (IoT) devices. It is broken into four main parts. The first is used to download dependencies and compile the malware into different OS architectures. After completion, a batch file is created and used to spread the malware. The second part of the source code includes all the other functionality of the malware and incorporates the source code from other botnets. The third part is the obfuscation segment and is compiled and executed manually to encode/decode the malware strings by using a swap table to hide the strings. The final part of the malware includes Command and Control (C2) components. Keksec has been involved in attacks since as early as 2016 according to researchers and includes several botnet actors.


A full list of the vulnerabilities that are targeted by the threat actor can be found in the report from AT&T, which is linked below. The malware is just beginning to spread but is being updated often, which gives this botnet the chance to grow and spread rapidly. Organizations should ensure that their exposure from Linux servers and IoT devices to the internet remains limited to better protect themselves. It is also recommended to use a monitoring service such as Binary Defense’s Managed Detection and Response to help find and stop attacks quickly. Ensuring that software is being updated regularly is also important, and if possible, auto-updates should be turned on.

EnemyBot Malware Targets Web Servers, CMS Tools and Android OS