Get in Touch
Severity level: High
First reported in mid-November, Zerobot is a new Golang (also known as Go) language-based malware that actively exploits at least 18 known vulnerabilities with possibly three more, but these have not yet been published. The likely aim of Zerobot it to assimilate compromised systems into the botnet for use in future distributed denial-of-service (DDOS) attacks.
Once initial compromise has been achieved via a common vulnerability and exposure (CVE), Zerobot will download further scripts for propagation. This download will be called from the Zerobot command and control (C2) server (176.65.137[.]5). The downloaded file is labeled as ‘Zero’, thereby offering simple yet effective malware identification.
Due to the programme being written in the Go language, Zerobot can be used against most systems using WindowsOS, MacOS, or Linux.
The following vulnerabilities are known to be used in target breaches:
– CVE-2014-08361: miniigd SOAP service in Realtek SDK
– CVE-2017-17106: Zivif PR115-204-P-RS webcams
– CVE-2017-17215: Huawei HG523 router
– CVE-2018-12613: phpMyAdmin
– CVE-2020-10987: Tenda AC15 AC1900 router
– CVE-2020-25506: D-Link DNS-320 NAS
– CVE-2021-35395: Realtek Jungle SDK
– CVE-2021-36260: Hikvision product
– CVE-2021-46422: Telesquare SDT-CW3B1 router
– CVE-2022-01388: F5 BIG-IP
– CVE-2022-22965: Spring MVC and Spring WebFlux (Spring4Shell)
– CVE-2022-25075: TOTOLink A3000RU router
– CVE-2022-26186: TOTOLink N600R router
– CVE-2022-26210: TOTOLink A830R router
– CVE-2022-30525: Zyxel USG Flex 100(W) firewall
– CVE-2022-34538: MEGApix IP cameras
– CVE-2022-37061: FLIX AX8 thermal sensor cameras
Once a system is infected with Zerobot, the malware awaits further command from its C2 network. These commands include:
– Ping – Heartbeat, maintaining the connection
– Attack – Launch attack for different protocols: TCP, UDP, TLS, HTTP, ICMP
– Stop – Stop attack
– Update – Install update and restart Zerobot
– Enable_scan – Scan for open ports and start spreading itself via exploit or SSH/Telnet cracker
– Disable_scan – Disable scanning
– Command – Running OS command, cmd on Windows and bash on Linux
– Kill – Kill botnet programme
Compromise via ZeroNet will provide the threat actor with an initial access point to the victim network and thereby enable the possibility for further malicious compromise.
Additionally, Zerobot will use an infected system to act on the threat actor’s behalf for future DDOS attacks.
Victim systems will highly likely be operating slower than usual due to the botnet using much of the available processing power. If the system is running slower than usual, check it for an exe. file labeled as ‘Zero’.
Up-to-date Endpoint Detection and Response (EDR) solutions such as Microsoft Defender will almost certainly detect intrusion attempts by botnet malware such as Zerobot and alert the user once detected.
WindowsOS, MacOS, and Linux.
The following architecture is targeted by Zerobot:
Containment, Mitigations & Remediations
The implementation of an up-to-date EDR solution such as Defender is highly recommended to detect and halt malicious botnet malware before significant compromise can take place.
Furthermore, it is recommended that customers update all associated systems effected by the CVEs in the ‘Overview’ section. This will limit the threat landscape for potential threat actors targeting customer systems.
Indicators of Compromise
Associated Zerobot hashes:
Associated Zerobot IP:
Zerobot exploits a multitude of vulnerabilities in order to gain initial access. The wide range of CVEs targeted is almost certainly designed to create a large target surface with many options of initial compromise. This tactic is likely to increase over time as it enables greater infection probability and complicates defensive actions.
Based on the wide array of CVEs targeted by the threat actor operating Zerobot, the group is likely to be advanced and well organised, making the threat of Zerobot more severe.