Unless you’re an IT Security Professional, you may never have heard of EnemyBot.  It is a bit like the Frankenstein of malware threats, a botnet that has borrowed code from multiple different sources.

While that’s not terribly original, it does make it dangerous. The hackers behind the code are actively adding new exploits as newly disclosed critical vulnerabilities come to light in content management systems, IoT devices, Android devices, and web servers.

The botnet was first seen in action in March and is currently being tracked by researchers at Securonix.  By April, newer code samples were acquired, and the researchers found that EnemyBot had already integrated capabilities to attack flaws in more than a dozen processor architectures.

The botnet doesn’t do anything fancy and it mainly relies on DDoS (distributed denial of service) attacks. The latest version spotted has the capability to scan for new target devices and infect them.

According to AT&T’s Alien Labs, the most recent code samples contain several new exploits, including those for:

• CVE-2022-22954: Critical (CVSS: 9.8) A remote code execution flaw impacting VMware Workspace ONE Access and VMware Identity Manager. PoC (proof of concept) exploit was made available in April 2022.
• CVE-2022-22947: Another remote code execution flaw in Spring, fixed as zero-day in March 2022, and massively targeted throughout April 2022.
• And CVE-2022-1388: Critical (CVSS: 9.8) Yet another remote code execution flaw impacting F5 BIG-IP, threatening vulnerable endpoints with device takeover. The first PoCs appeared in the wild in May 2022, and active exploitation began almost immediately.

Enemybot is a genuine threat and proof positive that you don’t have to be original or engage in out of the box thinking to engineer a serious piece of malware.  Watch out for this one because the developers behind it are clearly just getting warmed up.