A prolific threat group known for deploying distributed denial-of-service (DDoS) and cryptomining attacks is running a new botnet that is built using the Linux-based Gafgyt source code along with some code from the Mirai botnet malware.

The group Keksec (also known as Nero and Freakout) is using the fast-evolving Enemybot to target routers from vendors like Seowon Intech and D-Link and is exploiting a remote code execution (RCE) vulnerability (CVE-2022-27226) discovered last month in iRZ mobile routers, according to a report this week by Fortinet’s FortiGuard Labs team.

Keksec is using the Enemybot malware as a classic botnet, rolling up compromised Internet of Things (IoT) devices into a larger botnet that can be used to launch DDoS attacks.

However, FortiGuard researchers wrote that the bad actors may be considering extending the use of Enemybot into other areas beyond DDoS attacks, noting different samples of the code detected that add and remove exploits, leveraging the high-profile Log4j flaw and targeting a range of routers as well as Apache HTTP servers.

Enemybot, like most botnets, infects multiple architectures to improve the chances of infecting devices and, along with IoT devices, this malware also targets desktop and server architectures like BSD, macOS, Arm and x86.

“This mix of exploits targeting web servers and applications beyond the usual IoT devices, coupled with the wide range of supported architectures, might be a sign of Keksec testing the viability of expanding the botnet beyond low-resource IoT devices for more than just DDoS attacks,” the researchers wrote. “Based on their previous botnet operations, using them for cryptomining is a big possibility.”

Keksec is also using a range of obfuscation methods to make it more difficult for the malware to be analyzed and to hide it from other botnets. In addition, it connects to a command-and-control (C2) server hidden in the Tor network, which increases its anonymity and makes it harder to take it down, they wrote.

Once a device is compromised, Enemybot drops a file in /tmp/.pwned that contains a message pointing to Keksec as the attacker. In initial samples, the message was stored as cleartext, though a new sample released soon after included the message encoded with an XOR operation using a multi-byte key, which the FortiGuard team said indicates that the malware is still being actively developed.

Newer samples showed the malware reverting back to cleartext for the message, which may show that multiple developers are working on different versions of the codebase or who have different programming tendencies.

Enemybot is based mainly on Gafgyt – also known as Bashlite – a DDoS botnet whose source code was leaked in 2015. Keksec has developed other botnets using the Gafgyt code. However, some of the Enemybot modules – such as its scanner module – also include code from Mirai, a notorious botnet that also targets IoT devices.

Another module that shares code with Mirai is the bot killer module, which searches for running processes started from particular file paths or with specific keywords in its process memory and then terminates the processes. According to the FortiGuard researchers, Enemybot includes more than 60 keywords to identify and kill off competing malware running on the same devices.

Reports about Gafgyt malware family including Mirai code surfaced last year. In addition, the malware has several similarities to Gafgyt_tor, which makes the researchers believe that Enemybot is likely an updated and rebranded variant of Gafgyt_tor.

“In terms of spreading, Enemybot uses several methods that have also been observed in other IoT botnet campaigns,” they wrote. “One way is using a list of hardcoded username/password combinations to login into devices configured with weak or default credentials. This is another module that was copied from Mirai’s source code. This malware also tries to run shell commands to infect misconfigured Android devices that expose Android Debug Bridge port.”

That includes targeting devices with specific vulnerabilities, including flaws in Seowon Intech SLC-130 and SLR-120s routers, a vulnerability in older D-Link routers and a more recent flaw – tracked as CVE-2022-27226 – on iRZ mobile routers that Enemybot exploited soon after it was published in March.

“After a successful exploit, a shell command is executed to download another shell script from a URL,” the researchers wrote. “In most cases, particularly in Mirai-based botnets, this URL is hardcoded. In the case of Enemybot, however, this URL is dynamically updated by the C2 server via the command LDSERVER. The clear advantage of this method is that when the download server is down for whatever reason, the botnet operators can just update the bot clients with a new URL.”

Once installed on a targeted device, the malware connects to the C2 server and awaits instructions that can include performing various attacks, spread to other devices, stop ongoing DDoS attacks and run shell commands.

Enemybot also obfuscates code strings in number of ways to make detection and analysis more difficult. The obfuscation techniques include credentials for SSH brute-forcing and bot-killer keywords that use Mirai-style encoding, commands encrypted with a substitute cypher – such as swapping one character for another – and encoded strings that simply add three to the numeric value of each character.

In addition, the C2 domain uses XOR encoding with the multi-byte key.

“While these obfuscation techniques are simplistic, they are sufficient to hide tell-tale indicators of its presence from casual analysis and other botnets,” they wrote. “Most IoT botnets, including Enemybot, are known for searching for such indicators to terminate other botnets running on the same device.” ®