Malware research tool lands on GitHub after Covid-related cancellation of Black Hat presentation

Enfilade: Open source tool flags ransomware and Meow bot infections in MongoDB instances

An open source tool that detects internet-facing MongoDB instances and whether they’ve been infected with ransomware or Meow malware has been launched.

‘Enfilade’ can also perform more intrusive checks whereby it scans “each configured database with collections to map potential infections”, security practitioner and advisor Aditya K Sood told The Daily Swig.

Sood developed the tool with Rohit Bansal, principal security researcher with SecNiche Security Labs, in collaboration with F5’s CTO office.

Read more of the latest database security news

Enfilade, which Sood says “is primarily focused on the network service for MongoDB communication started on TCP port 27017”, currently offers the following modules:

  • Scanning for internet-exposed MongoDB instances
  • Detection, via basic or intrusive checks, of Meow or ransomware infections
  • Reconnaissance and information gathering on MongoDB instances
  • Checking access permissions for assessing remote command execution
  • User enumeration


More than 26,800 customers including Google, Toyota, and Verizon use MongoDB, a document-oriented NoSQL database platform, when developing applications.

According to research conducted by infosec firm Intruder, unsecured MongoDB instances are typically compromised within 24 hours of going online.

Meow bots heightened the risk of database misconfigurations when they emerged in July 2020, deploying a malicious script that quickly wiped thousands of unsecured Elasticsearch and MongoDB instances by overwriting data with random numbers the word ‘meow’.

In the same month, 22,900 MongoDB databases were targeted by ransomware attacks in which victims were told that non-payment would result in their GDPR violations being reported to data privacy watchdogs.

Sood and Bansal gauged the scale of the problem themselves by scanning vulnerable IP address spaces belonging to hosting providers for evidence of ransomware infections in MongoDB instances, with 3,586 infections flagged in China an US alone, as revealed in a blog post published by Sood.

‘Part of a package’

“The tool is a part of a package that we are building for multiple databases,” says Sood, who recently published a book on cloud security that touches on database infections.

He expects to add more modules to the tool in the future, but in the meantime “other developers can amend and enhance the tool accordingly”.

Sood and Bansal were due to unveil Enfilade at Black Hat USA 2021 this week but had to abandon their talk over concerns related to the Covid-19 Delta variant.

They released the project on GitHub on Wednesday (August 4) regardless and their presentation slides are available on Sood’s blog post.

The research duo showcased a similar tool that detects malware infections in ElasticSearch instances – ‘Strafer’ – at last year’s Black Hat Europe.

RELATED Black Hat 2021: WARCannon simplifies web-wide vulnerability research