A new Go-based malware named ‘Zerobot’ has been spotted in mid-November using exploits for almost two dozen vulnerabilities in a variety of devices that include F5 BIG-IP, Zyxel firewalls, Totolink and D-Link routers, and Hikvision cameras.
The purpose of the malware is to add compromised devices to a distributed denial-of-service (DDoS) botnet to launch powerful attacks against specified targets.
Zerobot can scan the network and self-propagate to adjacent devices as well as run commands on Windows (CMD) or Linux (Bash).
Security researchers at Fortinet discovered Zerobot and say that since November a new version has emerged with additional modules and exploits for new flaw, indicating that the malware is under active development.
Exploiting its way in
The malware can target a range of system architectures and devices, including i386, AMD64, ARM, ARM64, MIPS, MIPS64, MIPS64le, MIPSle, PPC64, PPC64le, RISC64, and S390x.
Zerobot incorporates exploits for 21 vulnerabilities and uses them to gain access to the device. Then it downloads a script named “zero,” which allows it to self propagate.
Zerobot uses the following exploits to breach its targets:
CVE-2014-08361: miniigd SOAP service in Realtek SDK
CVE-2017-17106: Zivif PR115-204-P-RS webcams
CVE-2017-17215: Huawei HG523 router
CVE-2020-10987: Tenda AC15 AC1900 router
CVE-2020-25506: D-Link DNS-320 NAS
CVE-2021-35395: Realtek Jungle SDK
CVE-2021-36260: Hikvision product
CVE-2021-46422: Telesquare SDT-CW3B1 router
CVE-2022-01388: F5 BIG-IP
CVE-2022-22965: Spring MVC and Spring WebFlux (Spring4Shell)
CVE-2022-25075: TOTOLink A3000RU router
CVE-2022-26186: TOTOLink N600R router
CVE-2022-26210: TOTOLink A830R router
CVE-2022-30525: Zyxel USG Flex 100(W) firewall
CVE-2022-34538: MEGApix IP cameras
CVE-2022-37061: FLIX AX8 thermal sensor cameras
Additionally, the botnet uses four exploits that have not been assigned an identifier. Two of them are targeting GPON terminals and D-Link routers. Details about the other two are unclear at the moment.
After establishing its presence on the compromised device, Zerobot sets a WebSocket connection to the command and control (C2) server and sends some basic information about the victim.
The C2 may respond with one of the following commands:
ping – Heartbeat, maintaining the connection
attack – Launch attack for different protocols: TCP, UDP, TLS, HTTP, ICMP
stop – Stop attack
update – Install update and restart Zerobot
enable_scan – Scan for open ports and start spreading itself via exploit or SSH/Telnet cracker
disable_scan – Disable scanning
command – Run OS command, cmd on Windows and bash on Linux
kill – Kill botnet program
The malware also uses an “anti-kill” module designed to prevent terminating or killing its process.
Currently, Zerobot is primarily focused on launching DDoS attacks. However, it could be used as for initial access, too.
Fortinet says that since Zerobot first appeared on November 18 its developer has improved it with string obfuscation, a copy file module, a self-propagation module, and several new exploits.