Pierluigi Paganini December 22, 2022

Microsoft spotted an upgraded variant of the Zerobot botnet that spreads by exploiting Apache vulnerabilities.

Microsoft Threat Intelligence Center (MSTIC) researchers discovered a new variant of the Zerobot botnet (aka ZeroStresser) that was improved with the capabilities to target more Internet of Things (IoT) devices. The IT giant is tracking this cluster of threat activity as DEV-1061.

Zerobot operators are offering the botnet as a malware-as-a-service model, one domain (zerostresser[.]com) with links to the bot was among the 48 domains associated with DDoS-for-hire services seized by the FBI in December.

The Zerobot botnet first appeared in the wild in November 2022 targeting devices running on Linux operating system. The Go-based botnet spreads by exploiting two dozen security vulnerabilities in the internet of things (IoT) devices and other applications.

The most recent variant spotted by Microsoft spreads by exploiting vulnerabilities in Apache and Apache Spark (CVE-2021-42013 and CVE-2022-33891 respectively) and also supports new DDoS attack capabilities.

The Zerobot botnet can propagate through brute force attacks on vulnerable devices with insecure configurations that use default/weak credentials. Experts observed the bot attempting to gain access to the device by using a combination of eight common usernames and 130 passwords for IoT devices over SSH and telnet on ports 23 and 2323. The researchers identified numerous SSH and telnet connection attempts on default ports 22 and 23, as well as attempts to open ports and connect to them by port-knocking on ports 80, 8080, 8888, and 2323.

Zerobot was also observed spreading by exploiting dozens of vulnerabilities, the version Zerobot 1.1 includes several new flaws, including:

“Since the release of Zerobot 1.1, the malware operators have removed CVE-2018-12613, a phpMyAdmin vulnerability that could allow threat actors to view or execute files. Microsoft researchers have also identified that previous reports have used the vulnerability ID “ZERO-32906” for CVE-2018-20057, “GPON” for CVE-2018-10561, and “DLINK” for CVE-2016-20017; and that CVE-2020-7209 was mislabeled as CVE-2017-17106 and CVE-2022-42013 was mislabeled as CVE-2021-42013.” reads the analysis published by Microsoft.

Researchers also discovered that Zerobot propagates by compromising devices with known flaws that are not included in the malware binary, such as a command injection vulnerability in Tenda GPON AC1200 routers, which is tracked as CVE-2022-30023.

Zerobot targets multiple architectures, including i386, amd64, arm, arm64, mips, mips64, mips64le, mipsle, ppc64, ppc64le, riscv64, and s390x. The bot is saved using the filename “zero.”

“The continuous evolution and rapid addition of new capabilities in the latest Zerobot version underscores the urgency of implementing comprehensive security measures.” concludes Microsoft that provides the following recommendations to protect devices and networks against the threat of Zerobot:

• Use security solutions with cross-domain visibility and detection capabilities.
• Adopt a comprehensive IoT security solution.
  • Ensure secure configurations for devices: Change the default password to a strong one, and block SSH from external access.
  • Maintain device health with updates: Make sure devices are up to date with the latest firmware and patches.
  • Use least privileges access: Use a secure virtual private network (VPN) service for remote access and restrict remote access to the device.
• Harden endpoints with a comprehensive Windows security solution”

Update July 11, 2023

The ZeroBot malware is not linked to ZeroBot.ai which is an internet-accessible verbal chatbot, they only have the same name.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, botnet)

[adrotate banner=”5″]

[adrotate banner=”13″]