Zerobot Operators Expand Attack Scope With New Exploits and DDoS Methods

What's new?

• Zerobot 1.1 variant exploits the CVE-2017-17105 (Zivif PR115-204-P-RS), CVE-2019-10655 (Grandstream), CVE-2020-25223 (WebAdmin of Sophos SG UTM), CVE-2021-42013 (Apache), CVE-2022-31137 (Roxy-WI), CVE-2022-33891 (Apache Spark), and ZSL-2022-5717 (MiniDVBLinux) vulnerabilities.
• The variant supports seven additional types of DDoS capabilities, including UDP_RAW, TCP_XMAS, ICMP_FLOOD, TCP_SYN, TCP_ACK, TCP_SYNACK, and TCP_CUSTOM attack methods, in addition to nine DDoS attack methods disclosed earlier.
• The malware propagates by compromising devices with known vulnerabilities that are not included in the malware binary, such as a command injection vulnerability (CVE-2022-30023) in Tenda GPON AC1200 routers.

Zerobot's story

• It targets many system architectures and devices, including AMD64, MIPS64le, ARM, i386, PPC64, PPC64le, RISC64, ARM64, MIPS, MIPS64, MIPSle, and S390x.
• It brute forces against unsecured devices with default or weak credentials and exploits vulnerabilities in IoT devices and web applications.
• Once it infects a system, it downloads a script that will allow it to self-propagate to more vulnerable devices exposed online.
• After gaining the persistence of compromised devices, it either gains initial access to victims' networks or launches DDoS attacks.

Additional snippets

• Microsoft found that Zerobot's operators are advertising it as a malware-as-a-service on various social media networks. 
• In addition, they are marketing it for the sale and maintenance of the malware with new capabilities in development.
• The FBI seized several domains associated with DDoS-for-hire services in December, with one domain with links to Zerobot among them.

Ending notes