Site icon The Cybersecurity Daily News

Leading the Next Waves of Botnet Attacks: Enemybot and Fodcha

Botnet attackes

Two botnets have been trying to infect people all over the world by exploiting flaws in modems, routers, and IoT devices. These botnets, which were dubbed Enemybot and Fodcha, were capable of launching DDoS attacks.

About Enemybot

Background

The Enemybot, a Mirai-based botnet, has been expanding its fleet of infected devices by exploiting vulnerabilities in modems, routers, and IoT devices, with Keksec as the threat actor in charge. This threat organisation specialises in crypto-mining and DDoS attacks, both of which are aided by botnet malware that may infiltrate IoT devices and take over their processing capabilities.

Enemybot uses string obfuscation, and its C2 server is hidden behind Tor nodes, making mapping and taking it down difficult at the moment. Despite this, experts at Fortinet discovered it in the wild, sampled it, evaluated it, and issued a full technical report on its functions.

Capabilities

Enemybot connects to the C2 when a device is infected and waits for commands to be executed. Although the majority of the commands were connected to DDoS (distributed denial of service) assaults, the virus isn’t confined to them.

Fortinet, in particular, provides the following list of supported commands:

Targets

Enemybot attacks a variety of architectures, ranging from the popular x86, x64, i686, darwin, bsd, arm, and arm64 to the rarer and outdated ppc, m68k, and spc.

This is critical for the malware’s ability to spread since it can recognise the pivot point’s architecture and retrieve the appropriate binary from the C2.

Fortinet has seen minor changes in the sets of targeted vulnerabilities among the sampled variants, but the three that are present everywhere are:

Mitigation

Always apply the latest available software and firmware upgrades for your product to prevent Enemybot or any other botnet from infecting your devices and recruiting them to harmful DDoS botnets.

You may have a botnet malware infection if your router becomes unresponsive, internet speeds decline, and it heats up more than usual. In this instance, conduct a manual hard reset on the device, change the admin password in the management panel, and then download and install the latest available updates from the vendor’s website.

About Fodcha

In DDoS attacks, the Fodcha botnet has infected over 100 victims every day by targeting routers, DVRs, and servers. The number of unique IP addresses linked to the botnet fluctuates as well, with 360 Netlab reporting that they’re tracking a 10,000-strong Fodcha army of bots utilising Chinese IP addresses every day, with the majority of them using China Unicom (59.9%) and China Telecom (59.9%) services (39.4 percent).

The number of daily live bots is over 56000, Netlab claimed, citing figures from the security community with whom he collaborated. The global infection appears to be quite large, as there are over 10,000 daily active bots (IPs) in China, as well as over 100 DDoS victims being targeted on a daily basis. The Fodcha infects new devices by exploiting n-day vulnerabilities in many devices and employing the Crazyfia brute-force cracking tool.

Daily live bots with Chinese IP addresses (Netlab)

The Fodcha botnet targets a variety of devices and services, including but not limited to:

After successfully acquiring access to susceptible Internet-exposed devices samples, Fodcha operators use Crazyfia scan results to deploy malware payload. The botnet samples, according to 360 Netlab, target MIPS, MPSL, ARM, x86, and other CPU architectures. The botnet used the folded[.]in command-and-control (C2) domain from January 2022 until March 19, when it switched to fridgexperts[.]cc when the cloud vendor took down the initial C2 domain.

The switch from v1 to v2 is due to a cloud vendor shutting down the C2 servers corresponding to the v1 version, leaving Fodcha’s operators with no alternative but to re-launch v2 and upgrade C2, the researchers found. The new C2 is mapped to over a dozen IP addresses and is scattered across different countries, including the United States, Korea, Japan, and India. It also includes more cloud providers, including Amazon, DediPath, DigitalOcean, Linode, and others.

Exit mobile version