EnemyBot DDoS Botnet Uses Mirai and Gafgyt Exploit Code

The Enemybot botnet, which has been enslaving routers and other IoT devices since last month, has been linked to a threat group that conducts crypto mining and distributed denial-of-service (DDoS) attacks.

According to a report from Fortinet FortiGuard Labs, this botnet is mainly derived from Gafgyt's source code but has been observed to borrow several modules from Mirai's original source code.

Keksec (aka Kek Security, Necro, and FreakOut) has been linked to multiple botnets such as Simps, and Ryuk (not to be confused with the ransomware of the same name), and Samael, and has a history of targeting cloud infrastructure to conduct crypto mining and DDoS operations.

An analysis of the malware specimen has highlighted Enemybot's obfuscation attempts to hinder analysis and connect to a remote server hosted in the Tor anonymity network to fetch attack commands, which is why it primarily targets routers from Seowon Intech, D-Link, and iRZ.

The latest version of Enemybot uses the scanner and bot killer modules from Mirai, which are used to scan and terminate competing processes on the same devices like those running Gafgyt, the other botnet malware.

The botnet uses a variety of n-day vulnerabilities to spread the infection to new machines.

1. CVE-2020-17456 (CVSS score: 9.8) - A remote code execution flaw in Seowon Intech SLC-130 And SLR-120S devices.
2. CVE-2018-10823 (CVSS score: 8.8) - An arbitrary code execution vulnerability in D-Link routers
3. CVE-2022-27226 (CVSS score: 8.8) - A cross-site request forgery issue affecting iRZ Mobile Routers leading to remote code execution

"Enemybot is likely an updated and a rebranded variant of Gafgyt tor," according to Fortinet, citing its similarity to Gafgyt tor.

According to 360 Netlab researchers, Fodcha is a rapidly spreading DDoS botnet that has infected more than 10,000 active bots every day from March 29 to April 10, 2022, resulting in the infection of more than 62,000 unique bots.

Android, GitLab (CVE-2021-22205), Realtek Jungle SDK (CVE-20211-35394), digital video recorders from MVPower, LILIN, and routers TOTOLINK and ZHONE have all been infected by Fodcha.