Zerobot malware now spreads by exploiting Apache vulnerabilities


The Zerobot botnet has been upgraded to infect new devices by exploiting security vulnerabilities affecting Internet-exposed and unpatched Apache servers.

The Microsoft Defender for IoT research team also observed that this latest version adds new distributed denial-of-service (DDoS) capabilities.

Zerobot has been under active development since at least November, with new versions adding new modules and features to expand the botnet’s attack vectors and make it easier to infect new devices, including firewalls, routers, and cameras.

Since early December, the malware’s developers have removed modules that targeted phpMyAdmin servers, Dasan GPON home routers, and D-Link DSL-2750B wireless routers with year-old exploits.

The update spotted by Microsoft adds newer exploits to the malware’s toolkit, enabling it to target seven new types of devices and software, including unpatched Apache and Apache Spark servers.

The complete list of modules added to Zerobot 1.1 includes:

  • CVE-2017-17105: Zivif PR115-204-P-RS
  • CVE-2019-10655: Grandstream
  • CVE-2020-25223: WebAdmin of Sophos SG UTM
  • CVE-2021-42013: Apache
  • CVE-2022-31137: Roxy-WI
  • CVE-2022-33891: Apache Spark
  • ZSL-2022-5717: MiniDVBLinux

“Microsoft researchers have also found new evidence that Zerobot propagates by compromising devices with known vulnerabilities that are not included in the malware binary, such as CVE-2022-30023, a command injection vulnerability in Tenda GPON AC1200 routers,” the Microsoft Security Threat Intelligence team said.

Last but not least, the updated malware now comes with seven new DDoS capabilities, including a TCP_XMAS attack method.

Attack method Description
UDP_RAW Sends UDP packets where the payload is customizable.
ICMP_FLOOD Supposed to be an ICMP flood, but the packet is built incorrectly.
TCP_CUSTOM Sends TCP packets where the payload and flags are fully customizable.
TCP_SYN Sends SYN packets.
TCP_ACK Sends ACK packets.
TCP_SYNACK Sends SYN-ACK packets.
TCP_XMAS Christmas tree attack (all TCP flags are set). The reset cause field is “xmas”.

This Go-based malware (also dubbed ZeroStresser by its developers) was first spotted in mid-November

At the time, it used roughly two dozen exploits to infect various devices, including F5 BIG-IP, Zyxel firewalls, Totolink, D-Link routers, and Hikvision cameras.

It targets many system architectures and devices, including i386, AMD64, ARM, ARM64, MIPS, MIPS64, MIPS64le, MIPSle, PPC64, PPC64le, RISC64, and S390x.

Zerobot spreads through brute force attacks against unsecured devices with default or weak credentials and exploits vulnerabilities in Internet of Things (IoT) devices and web applications. 

Once it infects a system, it downloads a script named “zero” that will allow it to self-propagate to more vulnerable devices exposed online.

The botnet gains persistence of compromised devices, and it’s being used to launch DDoS attacks over a range of protocols, but it can also provide its operators with initial access to victims’ networks.

Original Source

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon using the button below

Digital Patreon Wordmark FieryCoralv2

To keep up to date follow us on the below channels.

Click Above for Telegram
Click Above for Discord
Click Above for Reddit
hd linkedin
Click Above For LinkedIn