Merge pull request #734 from Delta-Sierra/main

Add EnemyBot +relationships
2022-07-12 11:38:12 +02:00 · 2022-07-12 11:38:12 +02:00 · 684c6be358
parent 1b6ac6b93d 300d608770
commit 684c6be358
2 changed files with 47 additions and 2 deletions
--- a/clusters/botnet.json
+++ b/clusters/botnet.json
@ -1291,7 +1291,43 @@
      },
      "uuid": "3e40c1af-51f5-4b02-b189-74567125c6e0",
      "value": "Ripprbot"
+    },
+    {
+      "description": "In mid-March [2022], FortiGuard Labs observed a new DDoS botnet calling itself “Enemybot” and attributing itself to Keksec, a threat group that specializes in cryptomining and DDoS attacks.\n\nThis botnet is mainly derived from Gafgyt’s source code but has been observed to borrow several modules from Mirai’s original source code.\n\nIt uses several methods of obfuscation for its strings to hinder analysis and hide itself from other botnets. Furthermore, it connects to a command-and-control (C2) server that is hidden in the Tor network, making its takedown more complicated.\n\nEnemybot has been seen targeting routers from Seowon Intech, D-Link, and exploits a recently reported iRZ router vulnerability to infect more devices.",
+      "meta": {
+        "refs": [
+          "https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/",
+          "https://malpedia.caad.fkie.fraunhofer.de/details/elf.enemybot",
+          "https://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet",
+          "https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "262d18be-7cab-46c2-bcb0-47fff17604aa",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "similar"
+        },
+        {
+          "dest-uuid": "fcdfd4af-da35-49a8-9610-19be8a487185",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "variant-of"
+        },
+        {
+          "dest-uuid": "40795af6-b721-11e8-9fcb-570c0b384135",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "variant-of"
+        }
+      ],
+      "uuid": "a5a067c9-c4d7-4f33-8e6f-01b903f89908",
+      "value": "EnemyBot"
    }
  ],
-  "version": 25
+  "version": 26
 }
--- a/clusters/malpedia.json
+++ b/clusters/malpedia.json
@ -3875,6 +3875,15 @@
        "synonyms": [],
        "type": []
      },
+      "related": [
+        {
+          "dest-uuid": "a5a067c9-c4d7-4f33-8e6f-01b903f89908",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "similar"
+        }
+      ],
      "uuid": "262d18be-7cab-46c2-bcb0-47fff17604aa",
      "value": "EnemyBot"
    },
@ -45260,5 +45269,5 @@
      "value": "Zyklon"
    }
  ],
-  "version": 14973
+  "version": 14974
 }