Zerobot Botnet Develops New Attack Vectors and Spreading Abilities, Microsoft Warns

Zerobot malware [not to be mistaken for the ZeroBot chatbot developed by zerobot.ai] has undergone substantial updates that enhance its abilities to attack and proliferate, allowing it to target more Internet-connected (IoT) devices and upscale its malicious operation.

According to a recent Microsoft Security Threat Intelligence Center (MSTIC) report, the malware’s latest iteration also added new distributed denial-of-service (DDoS) abilities.

Zerobot is a Go-based botnet offered as part of a malware-as-a-service (MaaS) operation. It spreads through flaws in IoT devices such as routers, cameras and firewalls, as well as web app vulnerabilities.

“Zerobot affects a variety of devices that include firewall devices, routers, and cameras, adding compromised devices to a distributed denial of service (DDoS) botnet,” reads Microsoft’s security advisory.“Using several modules, the malware can infect vulnerable devices built on diverse architectures and operating systems, find additional devices to infect, achieve persistence, and attack a range of protocols.”

Vulnerable devices with improper configurations are among the most susceptible to Zerobot attacks, as the malware spreads by brute-forcing weak or default credentials. Researchers noticed that the malware uses combinations of “eight common usernames and 130 passwords” to compromise IoT devices through SSH and telnet using ports 23 and 2323.

Aside from brute forcing, Zerobot exploits various vulnerabilities to spread on target devices and deploy malicious payloads. Some of the latest vulnerabilities added to Zerobot 1.1’s arsenal include:

• CVE-2017-17105 – command injection flaw affecting Zivif PR115-204-P-RS V2.3.4.2103 and V4.7.4.2121 (and possibly in-between versions) web cameras
• CVE-2019-10655 – unauthenticated remote code execution (RCE) vulnerability in several Grandstream devices
• CVE-2020-25223 – RCE vulnerability affecting Sophos SG UTMWebAdmin
• CVE-2021-42013 – CiscoApache HTTP Server 2.4.50 RCE vulnerability
• CVE-2022-31137 – RCE flaw affecting Roxy-WI web interface versions prior to 6.1.1.0
• CVE-2022-33891 – unauthenticated command injection flaw in ApacheSparkversions 3.0.3 and earlier, versions 3.1.1-3.1.2, and 3.2.0-3.2.1
• ZSL-2022-5717 – remote root command injection vulnerability affecting MiniDVB Linux versions 5.4 and earlier

Even worse, Zerobot can also propagate using known vulnerabilities not included in the malware binary, such as CVE-2022-30023, a Tenda GPON AC1200 command injection flaw.

Specialized software like Bitdefender Ultimate Security can keep you safe from cyberthreats with its extensive feature library, which includes:

• 24/7, all-around protection against viruses, worms, Trojans, rootkits, spyware, zero-day exploits, ransomware and other e-threats
• Network threat prevention technology that identifies suspicious network-level activity and blocks malware and botnet-related URLs, brute force attacks, and sophisticated exploits
• Behavioral detection module that thoroughly monitors active apps and takes instant action upon detecting suspicious activity