Enemybot botnet uses Gafgyt source code with a sprinkling of Mirai

2022-04-13 14:00

A prolific threat group known for deploying distributed denial-of-service and cryptomining attacks is running a new botnet that is built using the Linux-based Gafgyt source code along with some code from the Mirai botnet malware.

Keksec is using the Enemybot malware as a classic botnet, rolling up compromised Internet of Things devices into a larger botnet that can be used to launch DDoS attacks.

Enemybot is based mainly on Gafgyt - also known as Bashlite - a DDoS botnet whose source code was leaked in 2015.

Some of the Enemybot modules - such as its scanner module - also include code from Mirai, a notorious botnet that also targets IoT devices.

"In terms of spreading, Enemybot uses several methods that have also been observed in other IoT botnet campaigns," they wrote.

"In most cases, particularly in Mirai-based botnets, this URL is hardcoded. In the case of Enemybot this URL is dynamically updated by the C2 server via the command LDSERVER. The clear advantage of this method is that when the download server is down for whatever reason, the botnet operators can just update the bot clients with a new URL.".

News URL

https://go.theregister.com/feed/www.theregister.com/2022/04/13/enemy-botnet-uses-gafgyt-mirai/

#botnet #gafgyt #mirai #sourcecode