FortiGuard Labs discovered a one-of-a-kind botnet in November that was created in the Go programming language and was being spread via vulnerabilities in IoT devices. This botnet, which goes by the name Zerobot, is equipped with a number of modules, some of which allow it to replicate itself, launch attacks against various protocols, and propagate itself. Using the WebSocket protocol, it also connects with the server that handles its command and control functions.
The malware’s objective is to infect other computers so that they may be added to a distributed denial-of-service (DDoS) botnet, which can then be used to perform devastating cyberattacks against certain targets. The malicious software also includes a “anti-kill” module, which is meant to prevent the process from being terminated or killed. At the moment, the primary emphasis of Zerobot is on performing distributed denial of service attacks. On the other hand, one might also utilize it as a means of initial access.
In addition to being able to do network scans and self-propagation to nearby devices, Zerobot is also capable of running commands on either Windows (CMD) or Linux (Bash). After Zerobot has established its presence on the hacked device, it will communicate some basic information about the victim to the command and control (C2) server by establishing a WebSocket connection to the server and sending the information.
The following computer architectures are targeted by this particular Zerobot variant: i386, amd64, arm, arm64, mips, mips64, mips64le, mipsle, ppc64, ppc64le, riscv64, and s390x. It is stored with the filename “zero,” which is also where the name of the campaign originated from. In order to obtain access to the device, Zerobot contains exploits for 21 different vulnerabilities and makes use of them.
The following vulnerabilities are targeted by Zerobot when it attempts to penetrate its targets:
- CVE-2022-22965: Spring MVC and Spring WebFlux (Spring4Shell)
- CVE-2022-25075: TOTOLink A3000RU router
- CVE-2022-26186: TOTOLink N600R router
- CVE-2022-26210: TOTOLink A830R router
- CVE-2022-30525: Zyxel USG Flex 100(W) firewall
- CVE-2022-34538: MEGApix IP cameras
- CVE-2022-37061: FLIX AX8 thermal sensor cameras
- CVE-2020-25506: D-Link DNS-320 NAS
- CVE-2021-35395: Realtek Jungle SDK
- CVE-2021-36260: Hikvision product
- CVE-2021-46422: Telesquare SDT-CW3B1 router
- CVE-2022-01388: F5 BIG-I
- CVE-2014-08361: miniigd SOAP service in Realtek SDK
- CVE-2017-17106: Zivif PR115-204-P-RS webcams
- CVE-2017-17215: Huawei HG523 router
- CVE-2018-12613: phpMyAdmin
- CVE-2020-10987: Tenda AC15 AC1900 router
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.