VMware, F5, Log4j added to EnemyBot attack targets

VMware, F5, Log4j added to EnemyBot attack targets

Also tries to infect Android devices.

By on

AT&T is warning of expansions to the EnemyBot malware botnet that target recently-discovered vulnerabilities in F5 hardware and VMware software.

Discovered by Secronix in March, EnemyBot’s original target was the wide range of Linux variants used in IoT devices.

However, a more recent analysis released last week by AT&T Alien Labs showed EnemyBot is launching attacks against a number of more recent vulnerabilities in content management systems, web servers, F5 hardware, and VMware software.

The AT&T analysis notes that “most of EnemyBot functionality relates to the malware’s spreading capabilities, as well as its ability to scan public-facing assets and look for vulnerable devices. "

“However, the malware also has DDoS capabilities and can receive commands to download and execute new code (modules) from its operators that give the malware more functionality," it wrote.

There’s quite a list of targets in the AT&T analysis, with the high-profile Log4j remote code execution (RCE) vulnerabilities from last year (CVE-2021-44228 and CVE-2021-45046), a VMware Workspace ONE vulnerability (CVE-2022-22954) discovered in April, and a REST vulnerability in F5’s BIG-IP application delivery server (CVE-2022-1388) published in May.

Nine of the vulnerabilities, including several in Wordpress plugins and one in Adobe ColdFusion 11 discovered in February (outlined at Packetstorm), have no CVE assigned.

If EnemyBot successfully infects a target, it will try to find other vulnerable hosts to infect. 

Its command and control (C&C) servers can also invoke a range of commands on EnemyBot, including various DDoS tools, shell commands, reverse shell creation, and a TLS attack (it starts a handshake without closing the socket).

It will also try to infect Android devices connected through the USB port, AT&T said.

In April, Fortinet and others attributed EnemyBot to a cryptomining and DDoS attack group dubbed Keksec. 

“The EnemyBot botnet borrows the code from the Gafgyt bot and re-used some codes from the infamous Mirai botnet”, Fortinet wrote at the time.

To reach the editorial team on your feedback, story ideas and pitches, contact them here.
Copyright © iTnews.com.au . All rights reserved.

Most Read Articles