Zerobot IoT Botnet Adds More Exploits, DDoS Capabilities

The recently detailed Internet of Things (IoT) botnet Zerobot has been updated with an expanded list of exploits and distributed denial-of-service (DDoS) capabilities.

Initially detailed two weeks ago, Zerobot is a self-replicating and self-propagating piece of malware written in the Golang (Go) programming language, which can target twelve device architectures.

Fortinet, which first warned of the threat’s capabilities, analyzed two variants of the malware, one of which contained exploits targeting 21 known vulnerabilities, including the recent Spring4Shell and F5 Big-IP flaws, alongside flaws in firewalls, routers, and surveillance cameras.

On Wednesday, Microsoft published its own analysis of Zerobot, warning that the malware has been updated with additional capabilities, including exploits for two vulnerabilities in Apache and Apache Spark, tracked as CVE-2021-42013 and CVE-2022-33891, respectively.

A server-side request forgery (SSRF) bug patched in October 2021, CVE-2021-42013 is known to have been targeted by other botnets as well, including the Enemybot DDoS botnet.

In addition to previously reported exploits, the Zerobot variant that Microsoft has analyzed also includes exploits for CVE-2017-17105 (Zivif PR115-204-P-RS), CVE-2019-10655 (Grandstream), CVE-2020-25223 (Sophos SG UTM), CVE-2022-31137 (Roxy-WI), and ZSL-2022-5717 (MiniDVBLinux).

“Since the release of Zerobot 1.1, the malware operators have removed CVE-2018-12613, a phpMyAdmin vulnerability that could allow threat actors to view or execute files,” Microsoft notes, adding that some of the targeted vulnerabilities have been previously mislabeled.

“Microsoft researchers have also found new evidence that Zerobot propagates by compromising devices with known vulnerabilities that are not included in the malware binary, such as CVE-2022-30023, a command injection vulnerability in Tenda GPON AC1200 routers,” the tech giant says.

Once it has compromised a device, Zerobot injects a script to execute the botnet malware (or a script to identify the device architecture and fetch the appropriate binary), and achieves persistence.

The threat does not target Windows machines, but Microsoft says it has observed Zerobot samples that can run on Windows.

The updated Zerobot variant packs several new capabilities to launch DDoS attacks using the UDP, ICMP, TCP, SYN, ACK, and SYN-ACK protocols.

Zerobot can also scan the internet for additional devices to infect. The capability allows it to scan sets of randomly generated IP addresses, while attempting to identify honeypot IP addresses.

“Microsoft researchers also identified a sample that can run on Windows based on a cross-platform (Linux, Windows, macOS) open-source remote administration tool (RAT) with various features such as managing processes, file operations, screenshotting, and running commands,” Microsoft says.

Related: Multi-Purpose Botnet and Infostealer ‘Aurora’ Rising to Fame

Related: Mirai Botnet Launched 2.5 Tbps DDoS Attack Against Minecraft Server

Related: Russia-Linked Cyclops Blink Botnet Attacking ASUS Routers