Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Zerobot IoT Botnet Adds More Exploits, DDoS Capabilities

The recently detailed Internet of Things (IoT) botnet Zerobot has been updated with an expanded list of exploits and distributed denial-of-service (DDoS) capabilities.

The recently detailed Internet of Things (IoT) botnet Zerobot has been updated with an expanded list of exploits and distributed denial-of-service (DDoS) capabilities.

Initially detailed two weeks ago, Zerobot is a self-replicating and self-propagating piece of malware written in the Golang (Go) programming language, which can target twelve device architectures.

Fortinet, which first warned of the threat’s capabilities, analyzed two variants of the malware, one of which contained exploits targeting 21 known vulnerabilities, including the recent Spring4Shell and F5 Big-IP flaws, alongside flaws in firewalls, routers, and surveillance cameras.

On Wednesday, Microsoft published its own analysis of Zerobot, warning that the malware has been updated with additional capabilities, including exploits for two vulnerabilities in Apache and Apache Spark, tracked as CVE-2021-42013 and CVE-2022-33891, respectively.

A server-side request forgery (SSRF) bug patched in October 2021, CVE-2021-42013 is known to have been targeted by other botnets as well, including the Enemybot DDoS botnet.

In addition to previously reported exploits, the Zerobot variant that Microsoft has analyzed also includes exploits for CVE-2017-17105 (Zivif PR115-204-P-RS), CVE-2019-10655 (Grandstream), CVE-2020-25223 (Sophos SG UTM), CVE-2022-31137 (Roxy-WI), and ZSL-2022-5717 (MiniDVBLinux).

“Since the release of Zerobot 1.1, the malware operators have removed CVE-2018-12613, a phpMyAdmin vulnerability that could allow threat actors to view or execute files,” Microsoft notes, adding that some of the targeted vulnerabilities have been previously mislabeled.

“Microsoft researchers have also found new evidence that Zerobot propagates by compromising devices with known vulnerabilities that are not included in the malware binary, such as CVE-2022-30023, a command injection vulnerability in Tenda GPON AC1200 routers,” the tech giant says.

Advertisement. Scroll to continue reading.

Once it has compromised a device, Zerobot injects a script to execute the botnet malware (or a script to identify the device architecture and fetch the appropriate binary), and achieves persistence.

The threat does not target Windows machines, but Microsoft says it has observed Zerobot samples that can run on Windows.

The updated Zerobot variant packs several new capabilities to launch DDoS attacks using the UDP, ICMP, TCP, SYN, ACK, and SYN-ACK protocols.

Zerobot can also scan the internet for additional devices to infect. The capability allows it to scan sets of randomly generated IP addresses, while attempting to identify honeypot IP addresses.

“Microsoft researchers also identified a sample that can run on Windows based on a cross-platform (Linux, Windows, macOS) open-source remote administration tool (RAT) with various features such as managing processes, file operations, screenshotting, and running commands,” Microsoft says.

Related: Multi-Purpose Botnet and Infostealer ‘Aurora’ Rising to Fame

Related: Mirai Botnet Launched 2.5 Tbps DDoS Attack Against Minecraft Server

Related: Russia-Linked Cyclops Blink Botnet Attacking ASUS Routers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.