"New Go-based Zerobot Botnet Exploiting Exploiting Dozens of IoT Vulnerabilities to Expand its Network"
Zerobot is a new Go-based botnet that has been observed in the wild spreading by exploiting nearly two dozen security flaws in Internet of Things (IoT) devices and other software. According to Fortinet FortiGuard Labs researcher Cara Lin, the botnet contains several modules, including self-replication, attacks for various protocols, and self-propagation. It also uses the WebSocket protocol to communicate with its command-and-control (C2) server. The campaign, which is said to have begun after November 18, 2022, targets the Linux operating system in order to gain control of vulnerable devices. The name Zerobot comes from a propagation script that, depending on the microarchitecture implementation, is used to retrieve the malicious payload after gaining access to a host. The malware is intended to attack a variety of CPU architectures, including i386, amd64, arm, arm64, mips, mips64, mips64le, mipsle, ppc64, ppc64le, riscv64, and s390x. To date, two versions of Zerobot have been discovered. One was used prior to November 24, 2022, with basic functions, and an updated variant with a self-propagating module to breach other endpoints using 21 exploits. TOTOLINK routers, Zyxel firewalls, F5 BIG-IP, Hikvision cameras, FLIR AX8 thermal imaging cameras, D-Link DNS-320 NAS, and Spring Framework are among the systems affected. Upon initialization in the compromised machine, Zerobot connects to a remote C2 server and waits for further instructions to execute arbitrary commands and launch attacks against various network protocols such as TCP, UDP, TLS, HTTP, and ICMP. This article continues to discuss findings surrounding the novel Go-based Zerobot botnet.