VMware and F5 BIG-IP flaws are being exploited by EnemyBot

Home/BOTNET, IOC's, Malware, Security Advisory, vulnerability/VMware and F5 BIG-IP flaws are being exploited by EnemyBot

VMware and F5 BIG-IP flaws are being exploited by EnemyBot

EnemyBot, a botnet derived from many pieces of malware codes, extends its overall reach by rapidly incorporating exploits for previously detected severe vulnerabilities in web servers, content management systems, IoT, and Android devices

When Fortinet released an analysis of fresh samples by April, it had already included weaknesses for over a dozen processor architectures. Its primary goal is to perform distributed denial-of-service (DDoS) attacks, including modules that scan for and infect new target devices. 

According to a recent analysis from AT&T Alien Labs, the latest EnemyBot versions have exploits for 24 flaws.

What has been discovered?

Recently, the latest variants of EnemyBot were found adding exploits for 24 vulnerabilities, along with other enhancements.

  • The botnet has added flaws for more than a dozen processor architectures such as ARM, x86, OpenBSD, macOS, PowerPC, and MIPS.
  • Additionally, it is suspected to have some strong correlation with the LolFMe botnet in terms of having similar strings, structure, and patterns in the code.

The DDoS botnet targeted several routers and web servers by exploiting known vulnerabilities. It targets multiple architectures, including arm, bsd, x64, and x86. Moreover, it is operated by a group named Keksec, which seems to be expanding its botnet network.

Once a vulnerability has been successfully exploited, the malware runs a shell command to download a shell script from a URL that is dynamically updated by the C&C. The script is responsible for downloading the actual Enemybot binary compiled for the target device’s architecture.

Finally after a successful infection, the malware connects to its C&C server and awaits instructions. Based on received commands, it can perform DNS amplification attacks and various types of DDoS assaults, sniff traffic, and spread to other devices via brute force attacks.

Exploited flaws – EnemyBot

The analysis of the new variant of EnemyBot by AT&T Alien Labs disclosed information regarding the exploited flaws:

  • CVE-2022-22954: A remote code execution flaw in VMware Workspace ONE Access and Identity Manager.
  • CVE-2022-22947: A remote code execution flaw in Spring, fixed in March 2022, and targeted throughout April.
  • CVE-2022-1388: A remote code execution flaw in  F5 BIG-IP that leads to device takeover.
  • Other targeted flaws include vulnerabilities associated with routers and IoT devices such as CVE-2022-27226 (iRZ), CVE-2022-25075 (TOTOLINK), and the infamous Log4Shell vulnerability.

Mitigation for EnemyBot

  • Ensure systems are fully patched and not vulnerable to RCE
  • Patch IoT devices’ firmware to the latest versions to mitigate external exploitation
  • Employ the usage of layer-7 network monitoring and detection to detect common exploits that may leverage RCE
  • Ensure that externally exposed network segments are isolated from internal hosts
  • Disable or limit execution from linux /tmp/ directories


IP ADDRESS80.94.92[.]38Malware C&C
SHA2567c0fe3841af72d55b55bc248167665da5a9036c972acb9a9ac0a7a21db016cc6Malware hash
SHA2562abf6060c8a61d7379adfb8218b56003765c1a1e701b346556ca5d53068892a5Malware hash
SHA2567785efeeb495ab10414e1f7e4850d248eddce6be91738d515e8b90d344ed820dMalware hash
SHA2568e711f38a80a396bd4dacef1dc9ff6c8e32b9b6d37075cea2bbef6973deb9e68Malware hash
SHA25631a9c513a5292912720a4bcc6bd4918fc7afcd4a0b60ef9822f5c7bd861c19b8Malware hash
SHA256139e1b14d3062881849eb2dcfe10b96ee3acdbd1387de82e73da7d3d921ed806Malware hash
SHA2564bd6e530db1c7ed7610398efa249f9c236d7863b40606d779519ac4ccb89767fMalware hash
SHA2567a2a5da50e87bb413375ecf12b0be71aea4e21120c0c2447d678ef73c88b3ba0Malware hash
SHA256ab203b50226f252c6b3ce2dd57b16c3a22033cd62a42076d09c9b104f67a3bc9Malware hash
SHA25670674c30ed3cf8fc1f8a2b9ecc2e15022f55ab9634d70ea3ba5e2e96cc1e00a0Malware hash
SHA256f4f9252eac23bbadcbd3cf1d1cada375cb839020ccb0a4e1c49c86a07ce40e1eMalware hash
SHA2566a7242683122a3d4507bb0f0b6e7abf8acef4b5ab8ecf11c4b0ebdbded83e7aaMalware hash
SHA256b63e841ded736bca23097e91f1f04d44a3f3fdd98878e9ef2a015a09950775c8Malware hash
SHA2564869c3d443bae76b20758f297eb3110e316396e17d95511483b99df5e7689fa0Malware hash

By | 2022-06-02T14:58:16+05:30 June 2nd, 2022|BOTNET, IOC's, Malware, Security Advisory, vulnerability|

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!