EnemyBot (a5a067c9-c4d7-4f33-8e6f-01b903f89908)

In mid-March [2022], FortiGuard Labs observed a new DDoS botnet calling itself “Enemybot” and attributing itself to Keksec, a threat group that specializes in cryptomining and DDoS attacks.

This botnet is mainly derived from Gafgyt’s source code but has been observed to borrow several modules from Mirai’s original source code.

It uses several methods of obfuscation for its strings to hinder analysis and hide itself from other botnets. Furthermore, it connects to a command-and-control (C2) server that is hidden in the Tor network, making its takedown more complicated.

Enemybot has been seen targeting routers from Seowon Intech, D-Link, and exploits a recently reported iRZ router vulnerability to infect more devices.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Gafgyt (40795af6-b721-11e8-9fcb-570c0b384135)	Botnet	EnemyBot (a5a067c9-c4d7-4f33-8e6f-01b903f89908)	Botnet	1
EnemyBot (a5a067c9-c4d7-4f33-8e6f-01b903f89908)	Botnet	Mirai (fcdfd4af-da35-49a8-9610-19be8a487185)	Botnet	1
EnemyBot (a5a067c9-c4d7-4f33-8e6f-01b903f89908)	Botnet	EnemyBot (262d18be-7cab-46c2-bcb0-47fff17604aa)	Malpedia	1
EnemyBot (a5a067c9-c4d7-4f33-8e6f-01b903f89908)	Botnet	Qbot (421a3805-7741-4315-82c2-6c9aa30d0953)	Botnet	1
EnemyBot (a5a067c9-c4d7-4f33-8e6f-01b903f89908)	Botnet	Zeus (e878d24d-f122-48c4-930c-f6b6d5f0ee28)	Botnet	1
Gafgyt (40795af6-b721-11e8-9fcb-570c0b384135)	Botnet	Bashlite (81917a93-6a70-4334-afe2-56904c1fafe9)	Malpedia	2
Gafgyt (40795af6-b721-11e8-9fcb-570c0b384135)	Botnet	Gafgyt (5fe338c6-723e-43ed-8165-43d95fa93689)	Tool	2
Mirai (ELF) (17e12216-a303-4a00-8283-d3fe92d0934c)	Malpedia	Mirai (fcdfd4af-da35-49a8-9610-19be8a487185)	Botnet	2
Mirai (dcbf1aaa-1fdd-4bfc-a35e-145ffdfb5ac5)	Tool	Mirai (fcdfd4af-da35-49a8-9610-19be8a487185)	Botnet	2
Owari (f24ad5ca-04c5-4cd0-bd72-209ebce4fdbc)	Botnet	Mirai (fcdfd4af-da35-49a8-9610-19be8a487185)	Botnet	2
Mirai (fcdfd4af-da35-49a8-9610-19be8a487185)	Botnet	Sora (025ab0ce-bffc-11e8-be19-d70ec22c5d56)	Botnet	2
BlackBasta (9db5f425-fe49-4137-8598-840e7290ed0f)	Ransomware	Qbot (421a3805-7741-4315-82c2-6c9aa30d0953)	Botnet	2
Qbot (421a3805-7741-4315-82c2-6c9aa30d0953)	Botnet	ProLock (c4417bfb-717f-48d9-bd56-bc9e85d07c19)	Ransomware	2
Zeus (4e8c1ab7-2841-4823-a5d1-39284fb0969a)	Malpedia	Zeus (e878d24d-f122-48c4-930c-f6b6d5f0ee28)	Botnet	2
Zeus (f0ec2df5-2e38-4df3-970d-525352006f2e)	Banker	Zeus (e878d24d-f122-48c4-930c-f6b6d5f0ee28)	Botnet	2
Zeus (0ce448de-c2bb-4c6e-9ad7-c4030f02b4d7)	Tool	Zeus (e878d24d-f122-48c4-930c-f6b6d5f0ee28)	Botnet	2
Bashlite (81917a93-6a70-4334-afe2-56904c1fafe9)	Malpedia	Gafgyt (5fe338c6-723e-43ed-8165-43d95fa93689)	Tool	3
Mirai (ELF) (17e12216-a303-4a00-8283-d3fe92d0934c)	Malpedia	Mirai (dcbf1aaa-1fdd-4bfc-a35e-145ffdfb5ac5)	Tool	3
Mirai (dcbf1aaa-1fdd-4bfc-a35e-145ffdfb5ac5)	Tool	Owari (f24ad5ca-04c5-4cd0-bd72-209ebce4fdbc)	Botnet	3
Mirai (dcbf1aaa-1fdd-4bfc-a35e-145ffdfb5ac5)	Tool	Sora (025ab0ce-bffc-11e8-be19-d70ec22c5d56)	Botnet	3
Owari (ec67f206-6464-48cf-a012-3cdfc1278488)	Malpedia	Owari (f24ad5ca-04c5-4cd0-bd72-209ebce4fdbc)	Botnet	3
Owari (f24ad5ca-04c5-4cd0-bd72-209ebce4fdbc)	Botnet	Sora (025ab0ce-bffc-11e8-be19-d70ec22c5d56)	Botnet	3
Conti (201eff54-d41e-4f70-916c-5dfb9301730a)	Ransomware	BlackBasta (9db5f425-fe49-4137-8598-840e7290ed0f)	Ransomware	3
Zeus (4e8c1ab7-2841-4823-a5d1-39284fb0969a)	Malpedia	Zeus (f0ec2df5-2e38-4df3-970d-525352006f2e)	Banker	3
Zeus (0ce448de-c2bb-4c6e-9ad7-c4030f02b4d7)	Tool	Zeus (f0ec2df5-2e38-4df3-970d-525352006f2e)	Banker	3
Zeus (4e8c1ab7-2841-4823-a5d1-39284fb0969a)	Malpedia	Zeus (0ce448de-c2bb-4c6e-9ad7-c4030f02b4d7)	Tool	3
Conti (201eff54-d41e-4f70-916c-5dfb9301730a)	Ransomware	BlackByte (1c43524e-0f2e-4468-b6b6-8a37f1d0ea87)	Ransomware	4
Conti (201eff54-d41e-4f70-916c-5dfb9301730a)	Ransomware	QuantumLocker (0ca6ac54-ad2b-4945-9580-ac90e702fd2c)	Ransomware	4
Mountlocket (7513650c-ba09-49bf-b011-d2974c7ae023)	Ransomware	QuantumLocker (0ca6ac54-ad2b-4945-9580-ac90e702fd2c)	Ransomware	5