Connect with us

Hi, what are you looking for?



Zerobot IoT Botnet Adds More Exploits, DDoS Capabilities

The recently detailed Internet of Things (IoT) botnet Zerobot has been updated with an expanded list of exploits and distributed denial-of-service (DDoS) capabilities.

The recently detailed Internet of Things (IoT) botnet Zerobot has been updated with an expanded list of exploits and distributed denial-of-service (DDoS) capabilities.

Initially detailed two weeks ago, Zerobot is a self-replicating and self-propagating piece of malware written in the Golang (Go) programming language, which can target twelve device architectures.

Fortinet, which first warned of the threat’s capabilities, analyzed two variants of the malware, one of which contained exploits targeting 21 known vulnerabilities, including the recent Spring4Shell and F5 Big-IP flaws, alongside flaws in firewalls, routers, and surveillance cameras.

On Wednesday, Microsoft published its own analysis of Zerobot, warning that the malware has been updated with additional capabilities, including exploits for two vulnerabilities in Apache and Apache Spark, tracked as CVE-2021-42013 and CVE-2022-33891, respectively.

A server-side request forgery (SSRF) bug patched in October 2021, CVE-2021-42013 is known to have been targeted by other botnets as well, including the Enemybot DDoS botnet.

In addition to previously reported exploits, the Zerobot variant that Microsoft has analyzed also includes exploits for CVE-2017-17105 (Zivif PR115-204-P-RS), CVE-2019-10655 (Grandstream), CVE-2020-25223 (Sophos SG UTM), CVE-2022-31137 (Roxy-WI), and ZSL-2022-5717 (MiniDVBLinux).

“Since the release of Zerobot 1.1, the malware operators have removed CVE-2018-12613, a phpMyAdmin vulnerability that could allow threat actors to view or execute files,” Microsoft notes, adding that some of the targeted vulnerabilities have been previously mislabeled.

Advertisement. Scroll to continue reading.

“Microsoft researchers have also found new evidence that Zerobot propagates by compromising devices with known vulnerabilities that are not included in the malware binary, such as CVE-2022-30023, a command injection vulnerability in Tenda GPON AC1200 routers,” the tech giant says.

Once it has compromised a device, Zerobot injects a script to execute the botnet malware (or a script to identify the device architecture and fetch the appropriate binary), and achieves persistence.

The threat does not target Windows machines, but Microsoft says it has observed Zerobot samples that can run on Windows.

The updated Zerobot variant packs several new capabilities to launch DDoS attacks using the UDP, ICMP, TCP, SYN, ACK, and SYN-ACK protocols.

Zerobot can also scan the internet for additional devices to infect. The capability allows it to scan sets of randomly generated IP addresses, while attempting to identify honeypot IP addresses.

“Microsoft researchers also identified a sample that can run on Windows based on a cross-platform (Linux, Windows, macOS) open-source remote administration tool (RAT) with various features such as managing processes, file operations, screenshotting, and running commands,” Microsoft says.

Related: Multi-Purpose Botnet and Infostealer ‘Aurora’ Rising to Fame

Related: Mirai Botnet Launched 2.5 Tbps DDoS Attack Against Minecraft Server

Related: Russia-Linked Cyclops Blink Botnet Attacking ASUS Routers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.