Two botnets have been trying to infect people all over the world by exploiting flaws in modems, routers, and IoT devices. These botnets, which were dubbed Enemybot and Fodcha, were capable of launching DDoS attacks.
The Enemybot, a Mirai-based botnet, has been expanding its fleet of infected devices by exploiting vulnerabilities in modems, routers, and IoT devices, with Keksec as the threat actor in charge. This threat organisation specialises in crypto-mining and DDoS attacks, both of which are aided by botnet malware that may infiltrate IoT devices and take over their processing capabilities.
Enemybot uses string obfuscation, and its C2 server is hidden behind Tor nodes, making mapping and taking it down difficult at the moment. Despite this, experts at Fortinet discovered it in the wild, sampled it, evaluated it, and issued a full technical report on its functions.
Enemybot connects to the C2 when a device is infected and waits for commands to be executed. Although the majority of the commands were connected to DDoS (distributed denial of service) assaults, the virus isn’t confined to them.
Fortinet, in particular, provides the following list of supported commands:
- ADNS – Perform DNS amplification attack
- ARK – Perform an attack on the servers of the game “ARK: Survival Evolved”
- BLACKNURSE – Flood the target with Destination Port Unreachable ICMP messages
- DNS – Flood DNS servers with hardcoded DNS UDP queries
- HOLD – Flood the target with TCP connections and hold them for a specified time
- HTTP – Flood the target with HTTP requests
- JUNK – Flood the target with random non-zero-byte UDP packets
- OVH – Flood OVH servers with custom UDP packets
- STD – Flood the target with random-byte UDP packets
- TCP – Flood the target with TCP packets featuring spoofed source headers
- TLS – Perform SSL/TLS attack
- UDP – Flood the target with UDP packets featuring spoofed source headers
- OVERTCP – Perform TCP attack with randomized packet delivery intervals
- STOP – Stop ongoing DoS attacks
- LDSERVER – Update download server for exploit payload
- SCANNER – Spread to other devices via SSH/Telnet brute-forcing and exploits
- SH – Run shell command
- TCPOFF/TCPON – Turn sniffing off or on at ports 80, 21, 25, 666, 1337, and 8080, possibly to collect credentials
Enemybot attacks a variety of architectures, ranging from the popular x86, x64, i686, darwin, bsd, arm, and arm64 to the rarer and outdated ppc, m68k, and spc.
This is critical for the malware’s ability to spread since it can recognise the pivot point’s architecture and retrieve the appropriate binary from the C2.
Fortinet has seen minor changes in the sets of targeted vulnerabilities among the sampled variants, but the three that are present everywhere are:
- CVE-2020-17456: Critical (CVSS 9.8) remote code execution (RCE) flaw in Seowon Intech SLC-130 and SLR-120S routers.
- CVE-2018-10823: High severity (CVSS 8.8) RCE flaw affecting multiple D-Link DWR routers.
- CVE-2022-27226: High severity (CVSS 8.8) arbitrary cronjob injection impacting iRZ mobile routers.
Always apply the latest available software and firmware upgrades for your product to prevent Enemybot or any other botnet from infecting your devices and recruiting them to harmful DDoS botnets.
You may have a botnet malware infection if your router becomes unresponsive, internet speeds decline, and it heats up more than usual. In this instance, conduct a manual hard reset on the device, change the admin password in the management panel, and then download and install the latest available updates from the vendor’s website.
In DDoS attacks, the Fodcha botnet has infected over 100 victims every day by targeting routers, DVRs, and servers. The number of unique IP addresses linked to the botnet fluctuates as well, with 360 Netlab reporting that they’re tracking a 10,000-strong Fodcha army of bots utilising Chinese IP addresses every day, with the majority of them using China Unicom (59.9%) and China Telecom (59.9%) services (39.4 percent).
The number of daily live bots is over 56000, Netlab claimed, citing figures from the security community with whom he collaborated. The global infection appears to be quite large, as there are over 10,000 daily active bots (IPs) in China, as well as over 100 DDoS victims being targeted on a daily basis. The Fodcha infects new devices by exploiting n-day vulnerabilities in many devices and employing the Crazyfia brute-force cracking tool.
The Fodcha botnet targets a variety of devices and services, including but not limited to:
- Android: Android ADB Debug Server RCE
- GitLab: CVE-2021-22205
- Realtek Jungle SDK: CVE-2021-35394
- MVPower DVR: JAWS Webserver unauthenticated shell command execution
- LILIN DVR: LILIN DVR RCE
- TOTOLINK Routers: TOTOLINK Routers Backdoor
- ZHONE Router: ZHONE Router Web RCE
After successfully acquiring access to susceptible Internet-exposed devices samples, Fodcha operators use Crazyfia scan results to deploy malware payload. The botnet samples, according to 360 Netlab, target MIPS, MPSL, ARM, x86, and other CPU architectures. The botnet used the folded[.]in command-and-control (C2) domain from January 2022 until March 19, when it switched to fridgexperts[.]cc when the cloud vendor took down the initial C2 domain.
The switch from v1 to v2 is due to a cloud vendor shutting down the C2 servers corresponding to the v1 version, leaving Fodcha’s operators with no alternative but to re-launch v2 and upgrade C2, the researchers found. The new C2 is mapped to over a dozen IP addresses and is scattered across different countries, including the United States, Korea, Japan, and India. It also includes more cloud providers, including Amazon, DediPath, DigitalOcean, Linode, and others.