Security researchers have spotted a unique botnet dubbed Zerobot exploiting 21 IoT, network and other vulnerabilities, such as F5 BIG-IP, D-Link, Zyxel, Spring4Shell and other flaws.
Since mid-November, security firm Fortinet’s FortiGuard Labs discovered Zerobot contains multiple modules, to include those used for “self-replication, attacks for different protocols, and self-propagation.”
Zerobot is written in the Go programming language and communicates via the WebSocket protocol.
“This botnet, known as Zerobot, contains several modules, including self-replication, attacks for different protocols, and self-propagation. It also communicates with its command-and-control server using the WebSocket protocol,” Fortinet wrote in a blog post.
Moreover, the botnet targets the following architectures: i386, amd64, arm, arm64, mips, mips64, mips64le, mipsle, ppc64, ppc64le, riscv64, and s390x.
According to Fortinet, Zerobot has exploited the following vulnerabilities to compromise its targets:
- CVE-2014-08361: miniigd SOAP service in Realtek SDK
- CVE-2017-17106: Zivif PR115-204-P-RS webcams
- CVE-2017-17215: Huawei HG523 router
- CVE-2018-12613: phpMyAdmin
- CVE-2020-10987: Tenda AC15 AC1900 router
- CVE-2020-25506: D-Link DNS-320 NAS
- CVE-2021-35395: Realtek Jungle SDK
- CVE-2021-36260: Hikvision product
- CVE-2021-46422: Telesquare SDT-CW3B1 router
- CVE-2022-01388: F5 BIG-IP
- CVE-2022-22965: Spring MVC and Spring WebFlux (Spring4Shell)
- CVE-2022-25075: TOTOLink A3000RU router
- CVE-2022-26186: TOTOLink N600R router
- CVE-2022-26210: TOTOLink A830R router
- CVE-2022-30525: Zyxel USG Flex 100(W) firewall
- CVE-2022-34538: MEGApix IP cameras
- CVE-2022-37061: FLIX AX8 thermal sensor cameras
In addition, Fortinet also listed two other exploits (“ZERO_36290” and “ZERO_32960”) that were shared by the website “0day.today.” Two others “GPON” and “DLINK” were also called out separately, but no specific CVEs were provided.
Once devices are infected, the Zerobot variant then downloads a script to propagate further.
Initialization and Commands
According to the report, Zerobot first checks its connection to a DNS resolver IP (126.96.36.199) from Cloudflare.
The botnet then copies itself onto the targeted device according to the OS type and then sets up an “AntiKill” module used to thwart any attempts via “signal.Notify” to disrupt the Zerobot malware processes.
After initialization, Zerobot then starts a connection to its command and control (C2) server, “ws[:]//176[.]65[.]137[.]5/handle,” using the WebSocket protocol.
After the C2 channel has been established, the client then waits for the following commands from the server:
- ping: Heartbeat, maintaining the connection
- attack: Launch attack for different protocols: TCP, UDP, TLS, HTTP, ICMP
- stop: Stop attack
- update: Install update and restart Zerobot
- enable_scan: Scan for open ports and start spreading itself via exploit or SSH/Telnet cracker
- disable_scan: Disable scanning
- command: Running OS command, cmd on Windows and bash on Linux
- kill: Kill botnet program
In conclusion, the FortiGuard Labs security team warned Zerobot has been updated in a short time “with string obfuscation, a copy file module, and a propagation exploit module that make it harder to detect and gives it a higher capability to infect more devices.”
Users should be aware of these threats and patch affected devices as soon as possible.
- Spring fixes Critical Spring Framework “Spring4Shell” and Spring Cloud Function vulnerabilities
- Mirai variant MooBot botnet targets multiple D-Link flaws
- Emotet botnet reemerges with new threat behaviors
- Threat actors exploit Spring4Shell to weaponize and execute Mirai botnet
- Hackers exploit Huawei Routers RCE vulnerability (CVE-2017-17215)