"Zerobot IoT Botnet Adds More Exploits, DDoS Capabilities"

The recently detailed Internet of Things (IoT) botnet Zerobot has been updated with an expanded list of exploits and distributed denial-of-service (DDoS) capabilities.  Zerobot was initially detailed two weeks ago.  Zerobot is a self-replicating and self-propagating piece of malware written in the Golang (Go) programming language, which can target twelve device architectures.  Fortinet created an advisory first after analyzing two variants of the malware.  On Wednesday, Microsoft published its own analysis of Zerobot, warning that the malware has been updated with additional capabilities, including exploits for two vulnerabilities in Apache and Apache Spark, tracked as CVE-2021-42013 and CVE-2022-33891, respectively.  In addition to previously reported exploits, the Zerobot variant that Microsoft has analyzed also includes exploits for CVE-2017-17105 (Zivif PR115-204-P-RS), CVE-2019-10655 (Grandstream), CVE-2020-25223 (Sophos SG UTM), CVE-2022-31137 (Roxy-WI), and ZSL-2022-5717 (MiniDVBLinux).  The researchers stated that since the release of Zerobot 1.1, the malware operators have removed CVE-2018-12613, a phpMyAdmin vulnerability that could allow threat actors to view or execute files.  Microsoft researchers have also found new evidence that Zerobot propagates by compromising devices with known vulnerabilities that are not included in the malware binary, such as CVE-2022-30023, a command injection vulnerability in Tenda GPON AC1200 routers.  Once it has compromised a device, Zerobot injects a script to execute the botnet malware (or a script to identify the device architecture and fetch the appropriate binary) and achieves persistence.  The threat does not target Windows machines, but Microsoft says it has observed Zerobot samples that can run on Windows.  The updated Zerobot variant packs several new capabilities to launch DDoS attacks using the UDP, ICMP, TCP, SYN, ACK, and SYN-ACK protocols.  The researchers noted that Zerobot can also scan the internet for additional devices to infect.  The capability allows it to scan sets of randomly generated IP addresses while attempting to identify honeypot IP addresses.

SecurityWeek reports: "Zerobot IoT Botnet Adds More Exploits, DDoS Capabilities"