Zerobot, a novel Go-based botnet, has been spotted proliferating in the wild by exploiting nearly two dozen security vulnerabilities in the internet of things (IoT) devices and other software.
Cara Lin, a researcher at Fortinet FortiGuard Labs, said that the botnet “includes multiple modules, such as self-replication, attacks for various protocols, and self-propagation.” It also uses the WebSocket protocol to communicate with its command-and-control server.
The campaign, which reportedly began after November 18, 2022, targets Windows and Linux operating systems to seize control of vulnerable devices.
Zerobot derives its name from a propagation script that, depending on its microarchitecture implementation, is used to retrieve the malicious payload after gaining access to a host (e.g., “zero.arm64”).
Target CPU architectures include i386, amd64, arm, arm64, mips, mips64, mips64le, mipsle, ppc64, ppc64le, riscv64, and s390x.
To date, two variants of Zerobot have been observed: One used before November 24, 2022, with basic functionality, and an updated variant with a self-propagating module that uses 21 exploits to breach other endpoints.
- CVE-2014-08361: minigd SOAP service in Realtek SDK
- CVE-2017-17106: Zivif PR115-204-P-RS V220.127.116.113 Webcams
- CVE-2017-17215: Huawei HG532 Router
- CVE-2018-12613: phpMyAdmin
- CVE-2020-10987: Tenda AC15 AC1900 Router CVE-2020-25506 D-Link DNS-320 NAS
- CVE-2021-35395: Realtek Jungle SDK
- CVE-2021-36260: Hikvision product
- CVE-2021-46422: Telesquare SDT-CW3B1 Router
- CVE-2022-01388: F5 BIG-IP
- CVE-2022-22965: Spring MVC or Spring WebFlux application (Spring4Shell)
- CVE-2022-25075: TOTOLink A3000RU Router
- CVE-2022-26186: TOTOLINK N600R Router
- CVE-2022-26210: Totolink A830R Router
- CVE-2022-30525: Zyxel USG FLEX 100(W) Firewall
- CVE-2022-34538: Digital Watchdog DW MEGApix IP cameras
- CVE-2022-37061: FLIR AX8 thermal sensor cameras
Among the affected products are TOTOLINK routers, Zyxel firewalls, F5 BIG-IP, Hikvision cameras, FLIR AX8 thermal imaging cameras, D-Link DNS-320 NAS, and Spring Framework.
Zerobot, upon initialization on a compromised system, makes contact with a remote command-and-control (C2) server and awaits further instructions that enable it to execute arbitrary commands and launch DDoS attacks for various network protocols, including TCP, UDP, TLS, HTTP, and ICMP.
“Within a very short period, it was updated with string obfuscation, a copy file module, and a propagation exploit module, which makes it more difficult to detect and increases its ability to infect more devices,” Lin explained.