Recently discovered malware called Zerobot was spotted in November exploiting twenty-one (21) vulnerabilities in various Internet of Things (IoT) devices including Zyxel firewalls, D-Link routers and Hikvision cameras.
Zerobot is Go-based malware that compromises devices and adds them to a botnet capable of Distributed Denial-of-Service (DDoS) attacks against specified targets. This malware is capable of self-replication, attacks on different protocols in a network, self-propagation and communicates with its command and control (C2) server using the WebSocket protocol.
The Zerobot malware targets a wide range of system architectures such as i386, AMD64, ARM, MIPS, PPC64, RISC64, and S390x, to name a few. Its infiltration tactic is the use of exploits to gain initial access to devices. After it gains access to a device, the malware downloads a script called zero that enables propagation of the malware. The malware also establishes a WebSocket connection to its C2 server to send information about the compromised device. The C2 server communicates with the malware using the following commands:
ping Heartbeat, use to maintain the connection
attack Launches an attack for different protocols such as TCP, UDP, TLS, HTTP, ICMP
stop Stops the attack
update Installs update and restart Zerobot
enable_scan Scans for open ports and start propagating itself via exploit or SSH/Telnet cracker
disable_scan Disables scanning
command Runs commands by using cmd on Windows or bash on Linux
kill Kills the botnet program
Zerobot also features an anti-kill module that prevents the termination of its process in the case of discovery.
The different vulnerabilities that are exploited by this malware are as follows:
CVE-2014-08361 which affects the miniigd SOAP service in Realtek SDK
CVE-2017-17106 which affects the Zivif PR115-204-P-RS webcams
CVE-2017-17215 which affects Huawei HG523 routers
CVE-2018-12613 which affects phpMyAdmin
CVE-2020-10987 which affects Tenda AC15 AC1900 routers
CVE-2020-25506 which affects D-Link DNS-320 (Network Storage Enclosure) NAS
CVE-2021-35395 which affects Realtek Jungle SDK
CVE-2021-36260 which affects Hikvision cameras that use web server services
CVE-2021-46422 which affects Telesquare SDT-CW3B1 routers
CVE-2022-01388 which affects F5 BIG-IP products
CVE-2022-22965 which affects the Spring MVC or Spring WebFlux (Spring4Shell) application
CVE-2022-25075 which affects TOTOLink A3000RU routers
CVE-2022-26186 which affects TOTOLink N600R routers
CVE-2022-26210 which affects TOTOLink A830R routers
CVE-2022-30525 which affects Zyxel USG Flex 100(W) firewalls
CVE-2022-34538 which affects MEGApix IP cameras
CVE-2022-37061 which affects FLIX AX8 thermal sensor cameras
Four more vulnerabilities are exploited that have not been assigned a CVE, one that targets the Gigabit Passive Optical Network (GPON) terminals and another targets D-Link routers. Information on the other two remains unknown.
Indicators of Compromise
For a list of file hashes associated with the Zerobot malware, follow the URL: https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities
The IP address of the C2 server used by Zerobot is 184.108.40.206.
If you are working with any of the devices mentioned above, it is highly recommended to patch the device(s) with the latest updates and actively apply patches as they become available in order to protect yourself from the Zerobot malware. It is also recommended to blacklist the malwares C2 server IP address.
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: New Zerobot malware exploits over 20 vulnerabilities.pdf
Toulas, B. (2022, December 7). New Zerobot malware has 21 exploits for BIG-IP, Zyxel, D-Link devices. Retrieved from the BleepingComputer. https://www.bleepingcomputer.com/news/security/new-zerobot-malware-has-21-exploits-for-big-ip-zyxel-d-link-devices/
Lin, C. (2022, December 6). Zerobot New Go-Based Botnet Campaign Targets Multiple Vulnerabilities. Retrieved from Fortinet. https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities