Go to listing page

Zerobot Operators Expand Attack Scope With New Exploits and DDoS Methods

Zerobot Operators Expand Attack Scope With New Exploits and DDoS Methods
Zerobot botnet, also known as ZeroStresser, has been under active development since at least November. Operators of this Go-based malware have added new modules and features to expand the botnet's attack vectors and make it easier to infect new devices, including firewalls, routers, and cameras.

What's new?

Microsoft researchers disclosed that the newly added exploits to the malware's toolkit enable it to target seven new types of devices and software.
  • Zerobot 1.1 variant exploits the CVE-2017-17105 (Zivif PR115-204-P-RS), CVE-2019-10655 (Grandstream), CVE-2020-25223 (WebAdmin of Sophos SG UTM), CVE-2021-42013 (Apache), CVE-2022-31137 (Roxy-WI), CVE-2022-33891 (Apache Spark), and ZSL-2022-5717 (MiniDVBLinux) vulnerabilities.
  • The variant supports seven additional types of DDoS capabilities, including UDP_RAW, TCP_XMAS, ICMP_FLOOD, TCP_SYN, TCP_ACK, TCP_SYNACK, and TCP_CUSTOM attack methods, in addition to nine DDoS attack methods disclosed earlier.
  • The malware propagates by compromising devices with known vulnerabilities that are not included in the malware binary, such as a command injection vulnerability (CVE-2022-30023) in Tenda GPON AC1200 routers.

Since early December, the modules targeting phpMyAdmin servers, Dasan GPON home routers, and D-Link DSL-2750B wireless routers with known exploits, have been removed by the malware operators.

Zerobot's story

Zerobot has been active for months, however, it was spotted using roughly two dozen exploits to infect various devices, including F5 BIG-IP, Zyxel firewalls, Totolink, D-Link routers, and Hikvision cameras in November.
  • It targets many system architectures and devices, including AMD64, MIPS64le, ARM, i386, PPC64, PPC64le, RISC64, ARM64, MIPS, MIPS64, MIPSle, and S390x.
  • It brute forces against unsecured devices with default or weak credentials and exploits vulnerabilities in IoT devices and web applications.
  • Once it infects a system, it downloads a script that will allow it to self-propagate to more vulnerable devices exposed online.
  • After gaining the persistence of compromised devices, it either gains initial access to victims' networks or launches DDoS attacks.

Additional snippets

  • Microsoft found that Zerobot's operators are advertising it as a malware-as-a-service on various social media networks. 
  • In addition, they are marketing it for the sale and maintenance of the malware with new capabilities in development.
  • The FBI seized several domains associated with DDoS-for-hire services in December, with one domain with links to Zerobot among them.

Ending notes

Zerobot operators are rapidly adding new capabilities to the malware, indicating that they are aggressively planning to target a large number of IoT devices in the near future. Therefore, experts recommend frequently patching all the devices to avoid any risks.
Cyware Publisher