Cybersecurity researchers have discovered that the 2022 botnet known as EnemyBot is now expanding its reach by rapidly adding exploits that have revealed critical vulnerabilities recently.

The botnet, which already employs code from a wide range of malware pieces, is now enhancing its attack capabilities by including exploits for known weaknesses in content management systems, web servers, Internet of Things (IoT), and Android devices.

EnemyBot’s activities were first flagged by security researchers at Securonix in March this year. By April, analysis of fresh samples collected by another cybersecurity firm, Fortinet revealed that the botnet had already updated its approach and integrated flaws for over a dozen new processor architectures.

The main purpose to date for the EnembyBot appears to be for launching distributed denial-of-service attacks, but the malware also has additional modules that are designed to scan for vulnerable target devices and compromise them with a malware infection.

New EnemyBot variants

A recent report from experts at AT&T Alien Labs noted that the most up-to-date variants of EnemyBot now incorporate exploits for a total of 24 vulnerabilities. These weaknesses for the most part, are classed as critical, although there are some that have not yet been allocated a Common Vulnerabilities and Exposures (CVE) number to track them, making it far more difficult for firms to implement protection protocols.

Back in April, the flaws recorded were mainly related to IoT devices and routers, with CVE-2022-25075 and CVE-2022-27226 being among the most recently recorded. A new variant analysed by AT&T Alien Labs also contained exploits for several other security issues. These include the remote code execution (RCE) critical flaw CVE-2022-22954, the massively targeted CVE-2022-22947 and the RCE threatening weak endpoints with complete device takeover, CVE-2022-1388, to name a few.

The latest version of EnemyBot also supports commands like RSHELL enabling it to construct a reverse shell on an infected system. As a result, a threat actor can circumnavigate firewall restrictions and obtain access to a machine.

Each of the commands listed in previous versions of the botnet remain present, offering threat operators an extensive list of options when carrying out distributed denial of service attacks.

Additional malware projects waiting in the wings

The cybercriminal entity behind EnemyBot and updating the botnet, Keksec, has other malicious projects at its command, including Gafgyt, Tsunami, DarkHTTP, Necro, and DarkIRC.

Keksec is an experienced author of malware who is currently showing care and attention for its latest project, updating the botnet with all-new vulnerabilities exploits as quickly as they arise, often before system administrators have an opportunity to apply patches and resolve them.

Researchers at AT&T labs have also reported that an individual who is closely affiliated with Keksec, has now released the source code for EnemyBot making it easily accessible for other malicious operators.

Protection recommendations against this threat type include applying security patches to software products when updates become available and closely monitoring company network traffic. This includes outbound connections.

At present, EnemyBot is being used for DDoS attacks but now that the malware is targeting powerful devices, access and crypotomining are also potential applications that cause concern.