A new and evolving malware called EnemyBot is targeting Content Management Systems (CMS), web servers, and Android devices. The malware is believed to be distributed by the threat actor group Keksec. A report from AT&T Alien Labs explains that the malware is using code from various botnets such as Mirai, Qbot, and Zbot. The malware is distributed by targeting Linux machines and Internet of Things (IoT) devices. It is broken into four main parts. The first is used to download dependencies and compile the malware into different OS architectures. After completion, a batch file is created and used to spread the malware. The second part of the source code includes all the other functionality of the malware and incorporates the source code from other botnets. The third part is the obfuscation segment and is compiled and executed manually to encode/decode the malware strings by using a swap table to hide the strings. The final part of the malware includes Command and Control (C2) components. Keksec has been involved in attacks since as early as 2016 according to researchers and includes several botnet actors.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in