{"id":18750,"date":"2022-04-12T16:40:03","date_gmt":"2022-04-13T00:40:03","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/04\/12\/news-12483\/"},"modified":"2022-04-12T16:40:03","modified_gmt":"2022-04-13T00:40:03","slug":"news-12483","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/04\/12\/news-12483\/","title":{"rendered":"Enemybot: A Look into Keksec&#8217;s Latest DDoS Botnet"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\"><\/div>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><b>Affected Platforms:<\/b> Linux<br \/> <b>Impacted Users:<\/b> Any organization<br \/> <b>Impact:<\/b> Remote attackers gain control of the vulnerable systems<br \/> <b>Severity Level:<\/b> Critical <\/p>\n<p>In mid-March, <a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?utm_source=blog&amp;utm_campaign=fortiguardlabs\">FortiGuard Labs<\/a> observed a new <a href=\"https:\/\/www.fortinet.com\/products\/ddos\/fortiddos.html?utm_source=blog&amp;utm_campaign=ddos\">DDoS<\/a> botnet calling itself \u201cEnemybot\u201d and attributing itself to Keksec, a threat group that specializes in cryptomining and DDoS attacks.<\/p>\n<p>This botnet is mainly derived from Gafgyt\u2019s source code but has been observed to borrow several modules from Mirai\u2019s original source code.<\/p>\n<p>It uses several methods of obfuscation for its strings to hinder analysis and hide itself from other botnets. Furthermore, it connects to a command-and-control (C2) server that is hidden in the Tor network, making its takedown more complicated.<\/p>\n<p>Enemybot has been seen targeting routers from Seowon Intech, D-Link, and exploits a recently reported iRZ router vulnerability to infect more devices.<\/p>\n<p>This blog details how this malware leverages these vulnerabilities and the commands it can execute once inside an infected device.<\/p>\n<h2><b>Enemybot by Keksec<\/b><\/h2>\n<p>One of the first things Enemybot does is to drop a file in <i>\/tmp\/.pwned<\/i>, containing a message that attributes itself to Keksec. In earlier samples, this message was stored as cleartext. Only a few days after, a new sample was released with the message encoded with an XOR operation using a multiple-byte key. This suggests that this malware is being actively developed.<\/p>\n<p>A sample, SHA256:\u00a0<span>fec09b614d67e8933e2c09671e042ce74b40048b5f0feed49ba81a2c18d4f473, captured on March 24, 2022 has the message in cleartext:<\/span><\/p>\n<p style=\"text-align: center;\"><i>\u201cENEMEYBOT V3.1-ALCAPONE<a><\/a><a>\u00a0<\/a><\/i>\u00a0<i>hail KEKSEC\u201d<\/i><\/p>\n<p>A sample from March 28, 2022 SHA256: 93706966361922b493d816fa6ee1347c90de49b6d59fc01c033abdd6549ac8b9, encoded the message with an XOR operation using a multi-byte key.<\/p>\n<p>Upon decoding, the message has also been changed to:<\/p>\n<p><i>\u201cENEMEYBOT V3.1-ALCAPONE &#8211; hail KEKSEC, ALSO U GOT haCkED MY [REDACTED] (Your device literally has the security of a [shitty device] \/ [smart doorbell])\u201d<\/i><\/p>\n<p>\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/enemybot-a-look-into-keksecs-latest-ddos-botnet\/_jcr_content\/root\/responsivegrid\/image.img.png\/1649429038246\/picture1.png\" alt=\"Screenshot of code snippet from decoding .pwned message\"\/>         <\/noscript>          <span class=\"cmp-image--title\"> Figure 1: Code snippet from decoding .pwned message<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Subsequently, FortiGuard Labs researchers discovered newer samples that reverted to the cleartext versions of the <i>\/tmp\/.pwned<\/i> message, which might suggest the possibility of multiple developers working with different versions of the codebase or having different programming habits.<\/p>\n<p>Keksec is known for operating multiple botnets, some of which are based on Gafgyt (a.k.a. Bashlite). Gafgyt is a DDoS botnet whose source code was leaked way back in 2015.<\/p>\n<p>In the case of Enemybot, although it is mainly based on Gafgyt, it was observed that some of its modules are clearly borrowed from Mirai\u2019s source code. One of these is Enemybot\u2019s scanner module as shown in the screenshots below.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/enemybot-a-look-into-keksecs-latest-ddos-botnet\/_jcr_content\/root\/responsivegrid\/image_1781858310.img.png\/1649429114521\/picture2.png\" alt=\"Screenshot of obvious code similarities between Mirai and Enemybot\u2019s scanner modules\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2: Obvious code similarities between Mirai and Enemybot\u2019s scanner modules<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Another module shared with Mirai is the bot killer module where it searches for any running processes started from certain file paths or with specific keywords in its process memory. It then terminates these processes. Enemybot enhances the original Mirai code with over sixty keywords to identify and kill off any competitors running on the same devices.<\/p>\n<p>While researching this botnet, FortiGuard Labs observed that Enemybot shares several similarities with Gafgyt_tor previously reported by <a href=\"https:\/\/blog.netlab.360.com\/gafgtyt_tor-and-necro-are-on-the-move-again\/\">other researchers<\/a>, and assessed that Enemybot is likely an updated and \u201crebranded\u201d variant of Gafgyt_tor.<\/p>\n<h2><b>Technical Details<\/b><\/h2>\n<p><i>Infects Multiple Architectures<\/i><\/p>\n<p>Like most botnets, this malware infects multiple architectures to increase its chances of infecting more devices. In addition to IoT devices, Enemybot also targets desktop\/server architectures such as BSD, including Darwin (macOS), and x64.<\/p>\n<p>Enemybot targets the following architectures:<\/p>\n<ul>\n<li>arm<\/li>\n<li>arm5<\/li>\n<li>arm64<\/li>\n<li>arm7<\/li>\n<li>bsd<\/li>\n<li>darwin<\/li>\n<li>i586<\/li>\n<li>i686<\/li>\n<li>m68k<\/li>\n<li>mips<\/li>\n<li>mpsl<\/li>\n<li>ppc<\/li>\n<li>ppc-440fp<\/li>\n<li>sh4<\/li>\n<li>spc<\/li>\n<li>x64<\/li>\n<li>x86<\/li>\n<\/ul>\n<p>Enemybot\u2019s download server was previously misconfigured and displayed a list of ELF binaries for different architectures (Figure 3). Threat actors have fixed this at the time of writing.<\/p>\n<p>\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--6 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/enemybot-a-look-into-keksecs-latest-ddos-botnet\/_jcr_content\/root\/responsivegrid\/image_955539597.img.png\/1649429443386\/picture3.png\" alt=\"Screenshot of open directory of Enemybot\u2019s download server\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3: Open directory of Enemybot\u2019s download server<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><i>Obfuscation<\/i><\/p>\n<ul>\n<li>Enemybot obfuscates strings in a variety of ways:\n<ul>\n<li>C2 domain uses XOR encoding with a multi-byte key<\/li>\n<li>Credentials for SSH brute-forcing and bot killer keywords use Mirai-style encoding, i.e., single byte XOR encoding with 0x22<\/li>\n<li>Commands are encrypted with a substitution cipher, i.e,, swapping one character for another<\/li>\n<li>Some strings are encoded by just adding three to the numeric value of each character<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>While these obfuscation techniques are simplistic, they are sufficient to hide tell-tale indicators of its presence from casual analysis and other botnets. Most IoT botnets including Enemybot are known for searching for such indicators to terminate other botnets running on the same device.<u><\/u><\/p>\n<p><i>Infecting More Devices<\/i><\/p>\n<p>In terms of spreading, Enemybot uses several methods that have also been observed in other IoT botnet campaigns.<\/p>\n<p>One way is using a list of hardcoded username\/password combinations to login into devices configured with weak or default credentials. This is another module that was copied from Mirai\u2019s source code.<\/p>\n<p>This malware also tries to run shell commands to infect misconfigured Android devices that expose Android Debug Bridge port (5555).<\/p>\n<p>The last method is to target devices with specific vulnerabilities as listed below:\u00a0<\/p>\n<ul>\n<li><a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-17456\">CVE-2020-17456<\/a>\u00a0is a vulnerability that targets SEOWON INTECH SLC-130 and SLR-120S routers. Malicious commands can be injected into the\u00a0<i>pingIPAddr\u00a0<\/i>parameter (Figure 4)<\/li>\n<\/ul><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/enemybot-a-look-into-keksecs-latest-ddos-botnet\/_jcr_content\/root\/responsivegrid\/image_1011520000.img.png\/1649429826100\/picture4.png\" alt=\"Screenshot of CVE-2020-17456 exploit request\"\/>         <\/noscript>          <span class=\"cmp-image--title\"> Figure 4: CVE-2020-17456 exploit request<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<ul>\n<li>Another vulnerability (no CVE assigned) targets the Seowon SLC-130 router. This is similar to the previous exploit, only this time the command could be injected in the vulnerable <i>queriesCnt <\/i>parameter. The implementation was likely based on <a><\/a>publicly available exploit code.<\/li>\n<\/ul><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/enemybot-a-look-into-keksecs-latest-ddos-botnet\/_jcr_content\/root\/responsivegrid\/image_1003620835.img.png\/1649430022092\/picture5.png\" alt=\"Screenshot of another exploit targeting Seowon SLC-130 router\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5: Another exploit targeting Seowon SLC-130 router<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<ul>\n<li><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2018-10823\">CVE-2018-10823<\/a> is an older D-Link router vulnerability that allows an authenticated user to execute a malicious command into the <i>Sip<\/i> parameter of the <i>chkisg.htm<\/i> page (Figure 6).\u00a0 The following devices are affected by this vulnerability.\n<ul>\n<li>DWR-116 through 1.06<\/li>\n<li>DWR-512 through 2.02<\/li>\n<li>DWR-712 through 2.02<\/li>\n<li>DWR-912 through 2.02<\/li>\n<li>DWR-921 through 2.02<\/li>\n<li>DWR-111 through 1.01<\/li>\n<\/ul>\n<\/li>\n<\/ul><\/div>\n<div class=\"cmp cmp-text aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--12 aem-GridColumn--offset--default--0\">\n<p style=\"margin-left: 40.0px;\">D-Link provided updated firmware for some of the above-mentioned devices. It\u2019s recommended to check and update these\u00a0 \u00a0 \u00a0 devices if they still have vulnerable versions.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/enemybot-a-look-into-keksecs-latest-ddos-botnet\/_jcr_content\/root\/responsivegrid\/image_1383694457.img.png\/1649430676657\/picture6.png\" alt=\"Screenshot of CVE-2018-10823 exploit request\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 6: CVE-2018-10823 exploit request<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<ul>\n<li><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2022-27226\">CVE-2022-27226<\/a> is a recent vulnerability on iRZ mobile routers that was exploited by Enemybot shortly after it was published on March 19, 2022. In fact, this is the first botnet observed by FortiGuard Labs to target devices from this vendor.<\/li>\n<\/ul>\n<p style=\"margin-left: 40.0px;\">This vulnerability allows an attacker to execute a command by adding a crontab entry in the infected device via the <i>\/api\/crontab<\/i> (Figure 7).<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/enemybot-a-look-into-keksecs-latest-ddos-botnet\/_jcr_content\/root\/responsivegrid\/image_1285041825.img.png\/1649430760536\/picture7.png\" alt=\"Screenshot of CVE-2022-27226 exploit request\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 7: CVE-2022-27226 exploit request<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>During the past few weeks, FortiGuard Labs researchers also observed different samples adding and removing exploits. A list of these exploits seen in use by Enemybot for propagation are as follows:<\/p>\n<ul>\n<li>CVE-2022-25075 to 25084: Targets TOTOLINK routers, previously exploited by the <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/totolink-vulnerabilities-beastmode-mirai-campaign\">Beastmode <\/a>botnet<\/li>\n<li>CVE-2021-44228\/2021-45046: Better known as Log4j, more details are available on our <a href=\"https:\/\/www.fortinet.com\/blog\/psirt-blogs\/apache-log4j-vulnerability\">Fortinet PSIRT blog<\/a><\/li>\n<li>CVE-2021-41773\/CVE-2021-42013: Targets Apache HTTP servers<\/li>\n<li>CVE-2018-20062: Targets ThinkPHP CMS<\/li>\n<li>CVE-2017-18368: Targets Zyxel P660HN routers<\/li>\n<li>CVE-2016-6277: Targets NETGEAR routers<\/li>\n<li>CVE-2015-2051: Targets D-Link routers<\/li>\n<li>CVE-2014-9118: Targets Zhone routers<\/li>\n<li>NETGEAR DGN1000 exploit (No CVE assigned): Targets NETGEAR routers<\/li>\n<\/ul>\n<p>This mix of exploits targeting web servers and applications beyond the usual IoT devices, coupled with the wide range of supported architectures, might be a sign of Keksec testing the viability of expanding the botnet beyond low-resource IoT devices for more than just DDoS attacks. Based on their previous botnet operations, using them for cryptomining is a big possibility.<\/p>\n<p>After a successful exploit, a shell command is executed to download another shell script from a URL. In most cases, particularly in Mirai-based botnets, this URL is hardcoded. In the case of Enemybot however, this URL is dynamically updated by the C2 server via the command <i>LDSERVER<\/i>. The clear advantage of this method is that when the download server is down for whatever reason, the botnet operators can just update the bot clients with a new URL.<\/p>\n<p>The shell script <i>update.sh<\/i> then downloads the actual Enemybot binaries compiled for every architecture it targets and executes them.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/enemybot-a-look-into-keksecs-latest-ddos-botnet\/_jcr_content\/root\/responsivegrid\/image_853511716.img.png\/1649430982670\/picture8.png\" alt=\"Screenshot of Code snippet from update.sh\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 8: Code snippet from update.sh<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><i>Commands and DDoS capabilities<\/i><\/p>\n<p>Once the bot gets installed on a victim\u2019s device, it connects to its C2 server and waits for further commands. The C2 server hides in the Tor network and\u00a0the bot tries to access the server<a>\u00a0<\/a>using a hardcoded list of SOCKS proxy IPs.<\/p>\n<p>This bot supports several commands listed in the following table.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/enemybot-a-look-into-keksecs-latest-ddos-botnet\/_jcr_content\/root\/responsivegrid\/image_1551898366.img.png\/1649745582396\/screenshot-2022-04-11-233847.png\" alt=\"table of commands supported by bot\"\/>         <\/noscript>                   <\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/enemybot-a-look-into-keksecs-latest-ddos-botnet\/_jcr_content\/root\/responsivegrid\/image_1799710251.img.png\/1649730696228\/screenshot-2022-04-11-193049.png\" alt=\"table of commands supported by bot\"\/>         <\/noscript>                   <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2><b>Conclusion<\/b><\/h2>\n<p>Based on the analysis of FortiGuard Labs, Enemybot is Keksec\u2019s latest tool for performing DDoS attacks.<\/p>\n<p>To protect itself, it uses simple obfuscation techniques on its strings as well as hosting its C2 server in the Tor network, taking advantage of the network\u2019s anonymity. It uses several techniques commonly found in other DDoS botnet malware to infect other devices.<\/p>\n<p>Seeing how this malware has undergone changes during the research for this article, we expect that more updated versions will be distributed in the wild soon.<\/p>\n<p>FortiGuard Labs will keep monitoring this botnet.<\/p>\n<h2><b>Fortinet Protections<\/b><\/h2>\n<p>Fortinet customers are protected by the following:<\/p>\n<ul>\n<li>The FortiGuard Antivirus service detects and blocks this threat as ELF\/Gafgyt, Linux\/Gafgyt, and Linux\/Mirai<\/li>\n<li>FortiGuard Labs provides IPS signatures against attacks exploiting the following vulnerabilities:\n<ul>\n<li>CVE-2022-27226 &#8211; <a href=\"https:\/\/www.fortiguard.com\/encyclopedia\/ips\/51342\">iRZ.Mobile.Router.API.crontab.AUTH.Remote.Code.Execution<\/a><\/li>\n<li>CVE-2021-44228\/2021-45046 &#8211; <a href=\"https:\/\/www.fortiguard.com\/encyclopedia\/ips\/51006\">Apache.Log4j.Error.Log.Remote.Code.Execution<\/a><\/li>\n<li>CVE-2021-41773\/CVE-2021-42013 &#8211; <a href=\"https:\/\/www.fortiguard.com\/encyclopedia\/ips\/50825\">Apache.HTTP.Server.cgi-bin.Path.Traversal<\/a><\/li>\n<li>CVE-2020-17456 &#8211; <a href=\"https:\/\/www.fortiguard.com\/encyclopedia\/ips\/49451\">Seowon.Intech.Routers.system_log.CGI.Command.Injection<\/a><\/li>\n<li>Seowon SLC-130<a>\u00a0<\/a>Vulnerability RCE (vulnerable \u201cqueriesCnt\u201d parameter) &#8211; \u00a0Seowon.Intech.Routers.Unauthenticated.Remote.Code.Execution\u00a0<\/li>\n<li>CVE-2018-20062 &#8211; <a href=\"https:\/\/www.fortiguard.com\/encyclopedia\/ips\/47291\">ThinkPHP.Controller.Parameter.Remote.Code.Execution<\/a><\/li>\n<li>CVE-2018-10823 &#8211; <a><\/a><a href=\"https:\/\/www.fortiguard.com\/encyclopedia\/ips\/51354\">D-Link.DWR.CVE-2018-10823.Remote.Code.Execution<\/a><\/li>\n<li>CVE-2017-18368 &#8211; <a href=\"https:\/\/www.fortiguard.com\/encyclopedia\/ips\/43619\">TrueOnline.ZyXEL.P660HN.V1.Unauthenticated.Command.Injection<\/a><\/li>\n<li>CVE-2016-6277 &#8211; <a href=\"https:\/\/www.fortiguard.com\/encyclopedia\/ips\/43532\">NETGEAR.WebServer.Module.Command.Injection<\/a><\/li>\n<li>CVE-2015-2051 &#8211; <a href=\"https:\/\/www.fortiguard.com\/encyclopedia\/ips\/40772\">D-Link.Devices.HNAP.SOAPAction-Header.Command.Execution<\/a><\/li>\n<li>Netgear DGN1000 exploit (No CVE) &#8211; <a href=\"https:\/\/www.fortiguard.com\/encyclopedia\/ips\/44738\">NETGEAR.DGN1000.CGI.Unauthenticated.Remote.Code.Execution<\/a><\/li>\n<\/ul>\n<\/li>\n<li>The FortiGuard Web Filtering Service blocks downloaded URLs.<\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.fortinet.com\/support\/support-services\/fortiguard-security-subscriptions\/ipreputation-antibot\">FortiGuard IP Reputation &amp; Anti-Botnet Security Service<\/a><span>\u00a0proactively blocks these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.<\/span> <\/p>\n<p><a href=\"https:\/\/www.fortinet.com\/support\/support-services\/fortiguard-security-subscriptions\/application-control\">FortiGuard Application Control Service<\/a> provides organizations the capability to monitor or block access to malicious, risky, or unwanted applications. Customers without specific business requirements for Tor can refer to these Fortinet Technical Tips for blocking <a href=\"https:\/\/community.fortinet.com\/t5\/FortiGate\/Technical-Tip-How-to-block-traffic-coming-from-TOR-exit-nodes\/ta-p\/190958\">inbound<\/a> and <a href=\"https:\/\/community.fortinet.com\/t5\/FortiGate\/Technical-Tip-Blocking-and-monitoring-Tor-traffic\/ta-p\/196239\">outbound<\/a> Tor traffic using the Application Control Service.<\/p>\n<h2><b>IOCs<\/b><\/h2>\n<p><i>Files<\/i><\/p>\n<p>5260b9a859d936c5b8e0dd81c0238de136d1159e41f0b148f86e2555cf4a4e38<br \/> Download URLsb025a17de0ba05e3821444da8f8fc3d529707d6b311102db90d9f04c11577573<br \/> bf2f2eb08489552d46b8f50fb07073433f4af94e1215865c48d45f795f96342f<br \/> adb51a8d112590a6fdd02ac8d812b837bbe0fcdd762dba6bbba0bd0b538f9aef<br \/> 373b43345a7e4a6b1d5a6d568a8f6a38906760ea761eacd51a11c164393e4bad<br \/> b56655c3c9eed7cd4bce98eeebdcead8daa75a33498ad4f287c753ecc9554aca<br \/> cebd50b3a72a314c935b426c0e6b30ec08e0e0cb53e474efffb66f0907309243<br \/> 73e929575afc04758a23c027ebe4f60ab5c4ba0ab7fa8756b27ed71548302009<br \/> 33d282c6bccf608d4fbf3a211879759019741c1b822c6cea56c6f479be598367<br \/> 80f264d7b45a52bd000165f3f3b0fdc0e405f3f128a60a9ec6f085bfba114971<br \/> 9acf649b74f4aae43a2db90b8d39a7cd39bf6b82c995da7a1ffa6f23c3549b14<br \/> a7213ae906a008ad06020436db120a14568c41eae4335d6c76f2bbc33ee9fbcc<br \/> 2ea62957b9dd8e95052d64a48626c0fa137f0fa9ca4fa53f7f1d8fe35aa38dc0<br \/> 2ec8016e5fb8375d0cc66bc81f21c2d3f22b785eb4f8e2a02b0b5254159696f5<br \/> 06f9083e8109685aecb2c35441932d757184f7749096c9e23aa7d8b7a6c080f8<br \/> fec09b614d67e8933e2c09671e042ce74b40048b5f0feed49ba81a2c18d4f473<br \/> c01156693d1d75481dc96265b41e661301102f3da4edae89338ee9c64dc57d32<br \/> 820703b9a28d4b46692b7bf61431dc81186a970c243182740d623817910051d1<br \/> 9790f79da34a70e7fb2e07896a5ada662978473457ca5e2701bd1d1df0b9f10f<br \/> a799be50ad82e6338c9e0b33d38612e6ad171872407d5d7de36022adf9b8bf63<br \/> 4b2b4876ecc7d466eceb30ecbd79001af142b629200bbe61ebd45f4e63cd62ef<br \/> d14df997bdf1e3fd3d18edf771376a666dd791dcac550c7dd8de0323823e1037<br \/> 32faf178c5929510234f2d02aea39ca67ab893e18f60c1593f0c043153625e9d<br \/> cc5a743b458bb098998693a73b6a13b9946d375c7c01ac6d37937871d6539102<br \/> 980fb4731a70a472699fcbee1a16e76c78c1b36ab6430b94dbe2169f8ac21340<br \/> 93706966361922b493d816fa6ee1347c90de49b6d59fc01c033abdd6549ac8b9<br \/> f805f22f668bd0414497ddc061e021c5b80b80c9702053d72fc809f19307073b<br \/> 2e6305521d4ac770fc661658da6736d658eef384a9aa68bc49613d2be2d23a0d<br \/> e8c9452581830668941b3dca59896d339eb65cd8f21875b0e36261e5c093f7fe <\/p>\n<p><i>Download URLs<\/i><\/p>\n<p>http:\/\/198[.]12[.]116[.]254\/folder\/dnsamp.txt<br \/> http:\/\/198[.]12[.]116[.]254\/folder\/enemybotarm<br \/> http:\/\/198[.]12[.]116[.]254\/folder\/enemybotarm5<br \/> http:\/\/198[.]12[.]116[.]254\/folder\/enemybotarm64<br \/> http:\/\/198[.]12[.]116[.]254\/folder\/enemybotarm7<br \/> http:\/\/198[.]12[.]116[.]254\/folder\/enemybotbsd<br \/> http:\/\/198[.]12[.]116[.]254\/folder\/enemybotdarwin<br \/> http:\/\/198[.]12[.]116[.]254\/folder\/enemyboti586<br \/> http:\/\/198[.]12[.]116[.]254\/folder\/enemyboti686<br \/> http:\/\/198[.]12[.]116[.]254\/folder\/enemybotm68k<br \/> http:\/\/198[.]12[.]116[.]254\/folder\/enemybotmips<br \/> http:\/\/198[.]12[.]116[.]254\/folder\/enemybotmpsl<br \/> http:\/\/198[.]12[.]116[.]254\/folder\/enemybotppc<br \/> http:\/\/198[.]12[.]116[.]254\/folder\/enemybotppc-440fp<br \/> http:\/\/198[.]12[.]116[.]254\/folder\/enemybotsh4<br \/> http:\/\/198[.]12[.]116[.]254\/folder\/enemybotspc<br \/> http:\/\/198[.]12[.]116[.]254\/folder\/enemybotx64<br \/> http:\/\/198[.]12[.]116[.]254\/folder\/enemybotx86<br \/> http:\/\/198[.]12[.]116[.]254\/folder\/enemybotx64<br \/> http:\/\/198[.]12[.]116[.]254\/update.sh <\/p>\n<p><i>C2<\/i><\/p>\n<p>xfrvkmokgfb2pajafphw3upl6gq2uurde7de7iexw4aajvslnsmev5id[.]onion (Tor network)<\/p>\n<p>\u00a0<\/p>\n<p><i>Learn more about Fortinet\u2019s <a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?utm_source=blog&amp;utm_campaign=fortiguard-labs\">FortiGuard Labs<\/a> threat research and intelligence organization and the FortiGuard Security Subscriptions and Services <a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?tab=security-bundles&amp;utm_source=blog&amp;utm_campaign=security-bundles\">portfolio<\/a>.<\/i><\/p>\n<p>\u00a0<\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-b2dxtopzidsdt3fkzfsv-holder\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<p><a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/enemybot-a-look-into-keksecs-latest-ddos-botnet\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/blog\/threat-research\/enemybot-a-look-into-keksecs-latest-ddos-botnet\/_jcr_content\/root\/responsivegrid\/image.img.png\/1649429038246\/picture1.png\"\/><br \/>FortiGuard Labs observed a new DDoS botnet calling itself \u201cEnemybot\u201d and attributing itself to the Keksec threat group. Read our blog to learn how this malware leverages vulnerabilities and executes commands once inside an infected device.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-18750","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18750","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=18750"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18750\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=18750"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=18750"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=18750"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}