Researchers from FortiGuard Labs have discovered a new botnet that uses modules from the infamous Mirai botnet in addition to Gafgyt’s source code. Dubbed Enemybot, the botnet targets routers, Internet of Things (IoT) devices, and a range of server architectures, and is targeted for distributed denial of service (DDoS) attacks.
The Mirai botnet was responsible for a massive DDoS attack against Dyn in 2016. The Mirai source code was released online that same year, and even now, botnets using parts of the malicious network are the weapon of choice for threat actors.
Gafgyt/Bashlite’s code is also publicly available, and according to FortiGuard, the new Enemybot uses elements of both botnets in its attacks, joining the ranks of Okiru, Satori, and Masuta.
It is suspected that Keksec is the operator of the botnet. Cookiec, also known as Necro or Freakout, is a successful threat group associated with DDoS attacks, cyberattacks against cloud service providers, and cryptojacking campaigns.
Enemybot was first spotted in March 2022. The malware attempts to compromise a variety of devices and architectures using techniques such as brute force attacks and exploitation of vulnerabilities. Seowon Intech, D-Link, Netgear and Zhone routers are targeted as well as iRZ mobile routers and misconfigured ones-Devices. The threat actors try to exploit both old, patched vulnerabilities and newer vulnerabilities like Log4j.