Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Zerobot IoT Botnet Adds More Exploits, DDoS Capabilities

The recently detailed Internet of Things (IoT) botnet Zerobot has been updated with an expanded list of exploits and distributed denial-of-service (DDoS) capabilities.

The recently detailed Internet of Things (IoT) botnet Zerobot has been updated with an expanded list of exploits and distributed denial-of-service (DDoS) capabilities.

Initially detailed two weeks ago, Zerobot is a self-replicating and self-propagating piece of malware written in the Golang (Go) programming language, which can target twelve device architectures.

Fortinet, which first warned of the threat’s capabilities, analyzed two variants of the malware, one of which contained exploits targeting 21 known vulnerabilities, including the recent Spring4Shell and F5 Big-IP flaws, alongside flaws in firewalls, routers, and surveillance cameras.

On Wednesday, Microsoft published its own analysis of Zerobot, warning that the malware has been updated with additional capabilities, including exploits for two vulnerabilities in Apache and Apache Spark, tracked as CVE-2021-42013 and CVE-2022-33891, respectively.

A server-side request forgery (SSRF) bug patched in October 2021, CVE-2021-42013 is known to have been targeted by other botnets as well, including the Enemybot DDoS botnet.

In addition to previously reported exploits, the Zerobot variant that Microsoft has analyzed also includes exploits for CVE-2017-17105 (Zivif PR115-204-P-RS), CVE-2019-10655 (Grandstream), CVE-2020-25223 (Sophos SG UTM), CVE-2022-31137 (Roxy-WI), and ZSL-2022-5717 (MiniDVBLinux).

“Since the release of Zerobot 1.1, the malware operators have removed CVE-2018-12613, a phpMyAdmin vulnerability that could allow threat actors to view or execute files,” Microsoft notes, adding that some of the targeted vulnerabilities have been previously mislabeled.

“Microsoft researchers have also found new evidence that Zerobot propagates by compromising devices with known vulnerabilities that are not included in the malware binary, such as CVE-2022-30023, a command injection vulnerability in Tenda GPON AC1200 routers,” the tech giant says.

Advertisement. Scroll to continue reading.

Once it has compromised a device, Zerobot injects a script to execute the botnet malware (or a script to identify the device architecture and fetch the appropriate binary), and achieves persistence.

The threat does not target Windows machines, but Microsoft says it has observed Zerobot samples that can run on Windows.

The updated Zerobot variant packs several new capabilities to launch DDoS attacks using the UDP, ICMP, TCP, SYN, ACK, and SYN-ACK protocols.

Zerobot can also scan the internet for additional devices to infect. The capability allows it to scan sets of randomly generated IP addresses, while attempting to identify honeypot IP addresses.

“Microsoft researchers also identified a sample that can run on Windows based on a cross-platform (Linux, Windows, macOS) open-source remote administration tool (RAT) with various features such as managing processes, file operations, screenshotting, and running commands,” Microsoft says.

Related: Multi-Purpose Botnet and Infostealer ‘Aurora’ Rising to Fame

Related: Mirai Botnet Launched 2.5 Tbps DDoS Attack Against Minecraft Server

Related: Russia-Linked Cyclops Blink Botnet Attacking ASUS Routers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.