EnemyBot (a5a067c9-c4d7-4f33-8e6f-01b903f89908)

In mid-March [2022], FortiGuard Labs observed a new DDoS botnet calling itself “Enemybot” and attributing itself to Keksec, a threat group that specializes in cryptomining and DDoS attacks.

This botnet is mainly derived from Gafgyt’s source code but has been observed to borrow several modules from Mirai’s original source code.

It uses several methods of obfuscation for its strings to hinder analysis and hide itself from other botnets. Furthermore, it connects to a command-and-control (C2) server that is hidden in the Tor network, making its takedown more complicated.

Enemybot has been seen targeting routers from Seowon Intech, D-Link, and exploits a recently reported iRZ router vulnerability to infect more devices.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Zeus (e878d24d-f122-48c4-930c-f6b6d5f0ee28)	Botnet	EnemyBot (a5a067c9-c4d7-4f33-8e6f-01b903f89908)	Botnet	1
EnemyBot (262d18be-7cab-46c2-bcb0-47fff17604aa)	Malpedia	EnemyBot (a5a067c9-c4d7-4f33-8e6f-01b903f89908)	Botnet	1
Gafgyt (40795af6-b721-11e8-9fcb-570c0b384135)	Botnet	EnemyBot (a5a067c9-c4d7-4f33-8e6f-01b903f89908)	Botnet	1
Mirai (fcdfd4af-da35-49a8-9610-19be8a487185)	Botnet	EnemyBot (a5a067c9-c4d7-4f33-8e6f-01b903f89908)	Botnet	1
Qbot (421a3805-7741-4315-82c2-6c9aa30d0953)	Botnet	EnemyBot (a5a067c9-c4d7-4f33-8e6f-01b903f89908)	Botnet	1
Zeus (e878d24d-f122-48c4-930c-f6b6d5f0ee28)	Botnet	Zeus (4e8c1ab7-2841-4823-a5d1-39284fb0969a)	Malpedia	2
Zeus (e878d24d-f122-48c4-930c-f6b6d5f0ee28)	Botnet	Zeus (f0ec2df5-2e38-4df3-970d-525352006f2e)	Banker	2
Zeus (e878d24d-f122-48c4-930c-f6b6d5f0ee28)	Botnet	Zeus (0ce448de-c2bb-4c6e-9ad7-c4030f02b4d7)	Tool	2
Gafgyt (5fe338c6-723e-43ed-8165-43d95fa93689)	Tool	Gafgyt (40795af6-b721-11e8-9fcb-570c0b384135)	Botnet	2
Bashlite (81917a93-6a70-4334-afe2-56904c1fafe9)	Malpedia	Gafgyt (40795af6-b721-11e8-9fcb-570c0b384135)	Botnet	2
Mirai (fcdfd4af-da35-49a8-9610-19be8a487185)	Botnet	Owari (f24ad5ca-04c5-4cd0-bd72-209ebce4fdbc)	Botnet	2
Mirai (fcdfd4af-da35-49a8-9610-19be8a487185)	Botnet	Sora (025ab0ce-bffc-11e8-be19-d70ec22c5d56)	Botnet	2
Mirai (fcdfd4af-da35-49a8-9610-19be8a487185)	Botnet	Mirai (dcbf1aaa-1fdd-4bfc-a35e-145ffdfb5ac5)	Tool	2
Mirai (fcdfd4af-da35-49a8-9610-19be8a487185)	Botnet	Mirai (ELF) (17e12216-a303-4a00-8283-d3fe92d0934c)	Malpedia	2
Qbot (421a3805-7741-4315-82c2-6c9aa30d0953)	Botnet	ProLock (c4417bfb-717f-48d9-bd56-bc9e85d07c19)	Ransomware	2
Qbot (421a3805-7741-4315-82c2-6c9aa30d0953)	Botnet	BlackBasta (9db5f425-fe49-4137-8598-840e7290ed0f)	Ransomware	2
Zeus (f0ec2df5-2e38-4df3-970d-525352006f2e)	Banker	Zeus (4e8c1ab7-2841-4823-a5d1-39284fb0969a)	Malpedia	3
Zeus (f0ec2df5-2e38-4df3-970d-525352006f2e)	Banker	Zeus (0ce448de-c2bb-4c6e-9ad7-c4030f02b4d7)	Tool	3
Zeus (4e8c1ab7-2841-4823-a5d1-39284fb0969a)	Malpedia	Zeus (0ce448de-c2bb-4c6e-9ad7-c4030f02b4d7)	Tool	3
Gafgyt (5fe338c6-723e-43ed-8165-43d95fa93689)	Tool	Bashlite (81917a93-6a70-4334-afe2-56904c1fafe9)	Malpedia	3
Owari (f24ad5ca-04c5-4cd0-bd72-209ebce4fdbc)	Botnet	Owari (ec67f206-6464-48cf-a012-3cdfc1278488)	Malpedia	3
Owari (f24ad5ca-04c5-4cd0-bd72-209ebce4fdbc)	Botnet	Sora (025ab0ce-bffc-11e8-be19-d70ec22c5d56)	Botnet	3
Owari (f24ad5ca-04c5-4cd0-bd72-209ebce4fdbc)	Botnet	Mirai (dcbf1aaa-1fdd-4bfc-a35e-145ffdfb5ac5)	Tool	3
Sora (025ab0ce-bffc-11e8-be19-d70ec22c5d56)	Botnet	Mirai (dcbf1aaa-1fdd-4bfc-a35e-145ffdfb5ac5)	Tool	3
Mirai (dcbf1aaa-1fdd-4bfc-a35e-145ffdfb5ac5)	Tool	Mirai (ELF) (17e12216-a303-4a00-8283-d3fe92d0934c)	Malpedia	3
Conti (201eff54-d41e-4f70-916c-5dfb9301730a)	Ransomware	BlackBasta (9db5f425-fe49-4137-8598-840e7290ed0f)	Ransomware	3
Conti (201eff54-d41e-4f70-916c-5dfb9301730a)	Ransomware	BlackByte (1c43524e-0f2e-4468-b6b6-8a37f1d0ea87)	Ransomware	4
Conti (201eff54-d41e-4f70-916c-5dfb9301730a)	Ransomware	QuantumLocker (0ca6ac54-ad2b-4945-9580-ac90e702fd2c)	Ransomware	4
Mountlocket (7513650c-ba09-49bf-b011-d2974c7ae023)	Ransomware	QuantumLocker (0ca6ac54-ad2b-4945-9580-ac90e702fd2c)	Ransomware	5