The Internet of Things (IoT) botnet Zerobot has been updated with a longer list of exploits and DDoS capabilities.
Zerobot is a self-replicating and self-propagating malware program written in the Golang (Go) programming language that is capable of targeting twelve device architectures.
Fortinet analyzed two variants of the malware, one of which contained exploits targeting 21 known vulnerabilities, including the recent Spring4Shell and F5 Big-IP flaws, in addition to vulnerabilities in firewalls, routers, and surveillance cameras.
Microsoft published its analysis of Zerobot on Wednesday, warning that the malware had been updated to include exploits for two Apache and Apache Spark vulnerabilities, tracked as CVE-2021-42013 and CVE-2022-33891, respectively.
CVE-2021-42013, a server-side request forgery (SSRF) vulnerability patched in October 2021, is known to have been exploited by other botnets, including the Enemybot DDoS botnet.
Microsoft has analyzed a variant of Zerobot that includes exploits for CVE-2017-17105 (Zivif PR115-204-P-RS), CVE-2019-10655 (Grandstream), CVE-2020-25223 (Sophos SG UTM), and ZSL-2022-5717, in addition to previously reported exploits (MiniDVBLinux).
“Since the release of Zerobot 1.1, the malware operators have removed CVE-2018-12613, a phpMyAdmin vulnerability that could allow threat actors to view or execute files,” Microsoft explains, adding that some of the previously mislabeled vulnerabilities have been removed.
“Microsoft researchers have also discovered new evidence that Zerobot propagates by compromising devices with known vulnerabilities that are not included in the malware binary,” the tech company says.
Once a device has been compromised, Zerobot injects a script to execute the botnet malware (or a script to identify the device architecture and retrieve the appropriate binary) and achieves persistence.
The threat does not target Windows systems, but Microsoft has observed samples of Zerobot that can operate on Windows.
The updated Zerobot variant includes several new DDoS attack capabilities utilizing the UDP, ICMP, TCP, SYN, ACK, and SYN-ACK protocols.
Additionally, Zerobot can scan the Internet for additional targets to infect. It can scan sets of randomly generated IP addresses while attempting to identify honeypot IP addresses.
“Microsoft researchers also identified a sample that can run on Windows based on a cross-platform (Linux, Windows, macOS) open-source remote administration tool (RAT) with features such as managing processes, file operations, screenshotting, and running commands,” the company says.
