Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Zerobot IoT Botnet Adds More Exploits, DDoS Capabilities

The recently detailed Internet of Things (IoT) botnet Zerobot has been updated with an expanded list of exploits and distributed denial-of-service (DDoS) capabilities.

The recently detailed Internet of Things (IoT) botnet Zerobot has been updated with an expanded list of exploits and distributed denial-of-service (DDoS) capabilities.

Initially detailed two weeks ago, Zerobot is a self-replicating and self-propagating piece of malware written in the Golang (Go) programming language, which can target twelve device architectures.

Fortinet, which first warned of the threat’s capabilities, analyzed two variants of the malware, one of which contained exploits targeting 21 known vulnerabilities, including the recent Spring4Shell and F5 Big-IP flaws, alongside flaws in firewalls, routers, and surveillance cameras.

On Wednesday, Microsoft published its own analysis of Zerobot, warning that the malware has been updated with additional capabilities, including exploits for two vulnerabilities in Apache and Apache Spark, tracked as CVE-2021-42013 and CVE-2022-33891, respectively.

A server-side request forgery (SSRF) bug patched in October 2021, CVE-2021-42013 is known to have been targeted by other botnets as well, including the Enemybot DDoS botnet.

In addition to previously reported exploits, the Zerobot variant that Microsoft has analyzed also includes exploits for CVE-2017-17105 (Zivif PR115-204-P-RS), CVE-2019-10655 (Grandstream), CVE-2020-25223 (Sophos SG UTM), CVE-2022-31137 (Roxy-WI), and ZSL-2022-5717 (MiniDVBLinux).

“Since the release of Zerobot 1.1, the malware operators have removed CVE-2018-12613, a phpMyAdmin vulnerability that could allow threat actors to view or execute files,” Microsoft notes, adding that some of the targeted vulnerabilities have been previously mislabeled.

“Microsoft researchers have also found new evidence that Zerobot propagates by compromising devices with known vulnerabilities that are not included in the malware binary, such as CVE-2022-30023, a command injection vulnerability in Tenda GPON AC1200 routers,” the tech giant says.

Advertisement. Scroll to continue reading.

Once it has compromised a device, Zerobot injects a script to execute the botnet malware (or a script to identify the device architecture and fetch the appropriate binary), and achieves persistence.

The threat does not target Windows machines, but Microsoft says it has observed Zerobot samples that can run on Windows.

The updated Zerobot variant packs several new capabilities to launch DDoS attacks using the UDP, ICMP, TCP, SYN, ACK, and SYN-ACK protocols.

Zerobot can also scan the internet for additional devices to infect. The capability allows it to scan sets of randomly generated IP addresses, while attempting to identify honeypot IP addresses.

“Microsoft researchers also identified a sample that can run on Windows based on a cross-platform (Linux, Windows, macOS) open-source remote administration tool (RAT) with various features such as managing processes, file operations, screenshotting, and running commands,” Microsoft says.

Related: Multi-Purpose Botnet and Infostealer ‘Aurora’ Rising to Fame

Related: Mirai Botnet Launched 2.5 Tbps DDoS Attack Against Minecraft Server

Related: Russia-Linked Cyclops Blink Botnet Attacking ASUS Routers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...