The Zerobot botnet has been upgraded to infect new devices by exploiting security vulnerabilities affecting unpatched web-exposed Apache servers.

The Microsoft Defender for IoT research team has also observed that this latest release adds new Distributed Denial of Service (DDoS) functionality.

Zerobot has been under active development since at least November, with new releases adding new modules and features to expand the botnet’s attack vectors and make it easier to infect new devices, including firewalls, routers, and cameras.

Since early December, the malware developers removed modules that targeted phpMyAdmin servers, Dasan GPON home routers and D-Link DSL-2750B wireless routers with year-old exploits.

The update spotted by Microsoft adds new exploits to the malware’s toolkit, allowing it to target seven new types of devices and software, including unpatched Apache and Apache Spark servers.

The full list of modules added to Zerobot 1.1 includes:

  • CVE-2017-17105: Zivif PR115-204-P-RS
  • CVE-2019-10655: Large stream
  • CVE-2020-25223: Sophos SG UTM WebAdmin
  • CVE-2021-42013: Apache
  • CVE-2022-31137: Roxy-WI
  • CVE-2022-33891: Apache Spark
  • ZSL-2022-5717: MiniDVBLinux

“Microsoft researchers also found new evidence that Zerobot spreads by compromising devices with known vulnerabilities that are not included in the malware binary, such as CVE-2022-30023, a command injection vulnerability in Tenda GPON AC1200 routers,” Microsoft Security Threat Intelligence said. team said.

Finally, the updated malware now comes with seven new DDoS features, including a TCP_XMAS attack method.

Attack method Description
UDP_RAW Sends UDP packets with customizable payload.
ICMP_FLOOD Supposed to be an ICMP flood, but the packet is constructed incorrectly.
TCP_CUSTOM Sends TCP packets where payload and flags are fully customizable.
TCP_SYN Send SYN packets.
TCP_ACK Sends ACK packets.
TCP_SYNACK Sends SYN-ACK packets.
TCP_XMAS Christmas tree attack (all TCP flags are set). The reset cause field is “xmas”.

This Go-based malware (also dubbed ZeroStresser by its developers) has been first spotted in mid-November.

At the time, it used around two dozen exploits to infect various devices, including F5 BIG-IP, Zyxel firewalls, Totolink, D-Link routers, and Hikvision cameras.

It targets many system architectures and devices, including i386, AMD64, ARM, ARM64, MIPS, MIPS64, MIPS64le, MIPSle, PPC64, PPC64le, RISC64, and S390x.

Zerobot spreads through brute force attacks against insecure devices with default or weak credentials and exploits vulnerabilities in Internet of Things (IoT) devices and web applications.

Once it infects a system, it downloads a script named “zero” which will allow it to self-spread to more vulnerable devices exposed online.

The botnet gains persistence on compromised devices and is used to launch DDoS attacks on a range of protocols, but it can also provide its operators with initial access to victim networks.


Source link