New Go-based malware dubbed “Zerobot” was spotted in mid-November using exploits for nearly two dozen vulnerabilities in a variety of devices, including F5 BIG-IP, Zyxel firewalls, routers Totolink and D-Link and Hikvision cameras.

The purpose of the malware is to add compromised devices to a Distributed Denial of Service (DDoS) botnet to launch powerful attacks against specific targets.

Zerobot can scan the network and spread to adjacent devices as well as execute commands on Windows (CMD) or Linux (Bash).

Fortinet security researchers discovered Zerobot and say that since November a new version has appeared with additional modules and exploits for a new flaw, indicating that the malware is under active development.

Working his way in

The malware can target a range of system architectures and devices, including i386, AMD64, ARM, ARM64, MIPS, MIPS64, MIPS64le, MIPSle, PPC64, PPC64le, RISC64, and S390x.

Zerobot integrates exploits for 21 vulnerabilities and uses them to gain access to the device. Then it downloads a script named “zero”, which allows it to spread.

Zerobot uses the following exploits to reach its targets:

• CVE-2014-08361: miniigd SOAP service in Realtek SDK
• CVE-2017-17106: Zivif Webcams PR115-204-P-RS
• CVE-2017-17215: Huawei HG523 Router
• CVE-2018-12613: phpMyAdmin
• CVE-2020-10987: Tenda AC15 AC1900 Router
• CVE-2020-25506: D-Link DNS-320 NAS
• CVE-2021-35395: Realtek Jungle SDK
• CVE-2021-36260: Hikvision product
• CVE-2021-46422: Telesquare SDT-CW3B1 Router
• CVE-2022-01388: F5 BIG-IP
• CVE-2022-22965: Spring MVC and Spring WebFlux (Spring4Shell)
• CVE-2022-25075: TOTOLink A3000RU Router
• CVE-2022-26186: TOTOLink N600R Router
• CVE-2022-26210: TOTOLink A830R Router
• CVE-2022-30525: Zyxel USG Flex 100(W) Firewall
• CVE-2022-34538: MEGApix IP cameras
• CVE-2022-37061: FLIX AX8 thermal sensor cameras

Additionally, the botnet uses four exploits to which no identifiers have been assigned. Two of them target GPON terminals and D-Link routers. Details on the other two are unclear at this time.

Zerobot Functions

After establishing its presence on the compromised device, Zerobot establishes a WebSocket connection to the command and control (C2) server and sends basic information about the victim.

The C2 can respond with one of the following commands:

• ping – Heartbeat, maintaining connection
• offensive – Launch an attack for different protocols: TCP, UDP, TLS, HTTP, ICMP
• stop – Stop attack
• update – Install the update and restart Zerobot
• enable_scan – Scan for open ports and start spreading via exploit or SSH/Telnet cracker
• disable_scan – Disable scanning
• ordered – Run OS command, cmd on Windows and bash on Linux
• kill – Kill the botnet program

The malware also uses an “anti-kill” module designed to prevent its process from being terminated or killed.

Currently, Zerobot is mainly focused on launching DDoS attacks. However, it could also be used as an initial access.

fortnite says that since Zerobot first appeared on November 18, its developer has improved it with chain obfuscation, a file copy module, a self-propagation module, and several new exploits.