An upgraded version of the recently described Internet of Things (IoT) botnet Zerobot has a more extended set of exploits and DDoS capabilities. It is a self-replicating and self-propagating piece of malware created in the Golang (Go) programming language that can target twelve device architectures. It was first described two weeks ago.
The malware was broken into two different variants, one of which contained exploits for 21 known weaknesses, including the recent Spring4Shell and F5 Big-IP flaws as well as vulnerabilities in firewalls, routers, and security cameras. Fortinet, which first alerted of the threat’s capabilities, examined two variants of the malware. Microsoft released its research of Zerobot on Wednesday, advising that the malware has been upgraded with new features, including exploits for two Apache and Apache Spark vulnerabilities, identified as CVE-2021-42013 and CVE-2022-33891, respectively.
The Enemybot DDoS botnet is believed to have targeted CVE-2021-42013, a server-side request forgery (SSRF) vulnerability fixed in October 2021. The Zerobot variant that Microsoft has examined has exploits for CVE-2017-17105 (Zivif PR115-204-P-RS), CVE-2019-10655 (Grandstream), CVE-2022-31137 (Roxy-WI), CVE-2020-25223 (Sophos SG UTM), and ZSL-2022-5717 (MiniDVBLinux) in addition to previously known exploits.
“Since the release of Zerobot 1.1, the malware operators have removed CVE-2018-12613, a phpMyAdmin vulnerability that could allow threat actors to view or execute files,” Microsoft states, adding that few of the targeted flaws have been previously mislabeled. According to the tech giant, Microsoft researchers have discovered more proof that Zerobot spreads by infecting systems with known vulnerabilities not contained in the malware file, such as CVE-2022-30023, a command injection vulnerability in Tenda GPON AC1200 routers.
Zerobot gains persistence by injecting a script to run the botnet malware or a script to determine the device architecture and get the necessary binaries after it has gained access to a target device. Although Microsoft claims to have seen Zerobot copies that can operate on Windows, the threat does not explicitly target Windows machines.
Many additional features are included in the revised Zerobot variation that enables it to conduct DDoS attacks via the UDP, ICMP, TCP, SYN, ACK, and SYN-ACK protocols. Additionally, Zerobot may search the internet for other devices to infect. The functionality enables it to scan groups of IP addresses generated randomly and look for honeypot IP addresses.
“Microsoft researchers also identified a sample that can run on Windows based on a cross-platform (Linux, Windows, macOS) open-source remote administration tool (RAT) with various features such as managing processes, file operations, screenshotting, and running commands,” Microsoft says.