Enemybot: a new Mirai, Gafgyt hybrid botnet joins the scene

The botnet borrows a few tricks from Mirai.
Written by Charlie Osborne, Contributing Writer

A new botnet is targeting routers, Internet of Things (IoT) devices, and an array of server architectures.

On April 12, cybersecurity researchers from FortiGuard Labs said the new distributed denial-of-service (DDoS) botnet, dubbed Enemybot, borrows modules from the infamous Mirai botnet's source code, alongside Gafgyt's.

The Mirai botnet was responsible for a massive DDoS attack against Dyn in 2016. Mirai's source code was leaked online in the same year, and even now, botnets utilizing parts of the malicious network continue to be weapons of choice for threat actors.

Gafgyt/Bashlite code is also public, and according to FortiGuard, the new Enemybot employs elements of both botnets in its attacks, joining the likes of Okiru, Satori, and Masuta.

Keksec is thought to be the botnet's operator. Keksec, also known as Necro or Freakout, is a prolific threat group connected to DDoS assaults, cyberattacks against cloud service providers, and cryptojacking campaigns.

According to Lacework, the threat group is also the developer of a Tsunami DDoS malware variant called "Ryuk," although this is not to be confused with the Ryuk ransomware family.

Enemybot was first discovered in March 2022. The botnet uses Mirai's scanner module and bot killer, which checks for running processes in memory and terminates any competitors based on a selection of keywords.

The team has described the botnet as an "updated and "rebranded" variant of Gafgyt_tor" due to its heavy reliance on botnet functions sourced from Gafgyt's codebase.

Enemybot will attempt to compromise a wide range of devices and architectures through techniques including brute-force attacks and vulnerability exploitation.

Seowon Intech, D-Link, Netgear, Zhone, and D-Link routers are targeted, as well as iRZ mobile routers and misconfigured Android devices. The threat actors will try to exploit both old, patched vulnerabilities and newer security issues such as Log4j.

When it comes to architecture, Enemybot isn't too picky. Desktop and server systems on arm, arm64, Darwin, and BSD are attacked, alongside many others.

"This mix of exploits targeting web servers and applications beyond the usual IoT devices, coupled with the wide range of supported architectures, might be a sign of Keksec testing the viability of expanding the botnet beyond low-resource IoT devices for more than just DDoS attacks," the researchers say.

Once the malware has compromised a device or server, a text file is loaded with cleartext messages, such as: "ENEMEYBOT V3.1-ALCAPONE - hail KEKSEC, ALSO U GOT haCkED MY [REDACTED] (Your device literally has the security of a [shitty device] / [smart doorbell])."

Enemybot then grabs binaries, depending on the target architecture, and executes a range of DDoS-related commands.

The malware can also use a range of obfuscation methods to hinder analysis and hide its presence. The botnet's command-and-control (C2) server is hosted on a .onion domain, only accessible via the Tor network.

Enemybot is still under active development.

"We expect that more updated versions will be distributed in the wild soon," the researchers say. "FortiGuard Labs will keep monitoring this botnet."

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards