Microsoft recently noted the Zerobot botnet, first detected in November, is expanding its reach by targeting more types of Internet of Things devices. Furthermore, it adds new exploits and distributed denial-of-service attack capabilities, the company noted in a report released Wednesday.
Malware typically spreads via unpatched or inadequately secured IoT devices such as firewalls, routers and cameras. Cybercriminals then utilize these devices in a botnet to launch DDoS attacks and profit from the sale of malicious payloads.
Malware-as-a-Service (MaaS) Business Model
The Zerobot Botnet (also referred to as ZeroStresser) is spreading through vulnerabilities in Internet of Things devices and online applications, according to the Microsoft Security Threat Intelligence Center. Its controllers are continuously adding new exploits and capabilities to the malware that’s being sold using a Malware-as-a-Service (MaaS) model. This business model has industrialized cyberattacks by making it simpler for threat actors to purchase malware and maintain access to compromised networks.
This malware, coded in Go, can spread via IoT vulnerabilities and web application vulnerabilities. It also has various modules for self-replication, self-propagation, and attacks against various protocols. It communicates with its command-and-control (C&C) server via WebSocket protocol and targets twelve architectures including i386, AMD64, ARM, ARM64, MIPS mipsle mips PPC64le riscv64 and S390x.
Microsoft’s research team recently examined the malware and discovered it can exploit two Apache and Spark vulnerabilities (CVE-2021-42013 and CVE-2022-33891, respectively) to launch DDoS attacks against victims. Furthermore, its latest distribution includes new functions which allow it to attack more types of internet-connected devices as well as expand its network reach, according to the Microsoft Threat Intelligence Center.
In November 2017, Fortinet researchers identified the botnet and identified at least 21 vulnerabilities affecting various devices, such as F5 BIG-IP, Zyxel firewalls, Totolink/D-Link routers and Hikvision cameras. The aim is to add compromised devices into a botnet that can launch distributed denial of service (DDoS) attacks against targeted targets, according to Fortinet.
In addition to targeting a variety of system architectures and devices, the malware is capable of launching DDoS attacks against specific resources by sending UDP and TCP packets with customizable payloads. Furthermore, it sends SYN and ACK packets individually or in multiples.
This DDoS botnet is now being sold as a Malware-as-a-Service (MaaS) business model by its operators, with one of the domains used to advertise itself being among 48 seized by the FBI last month for DDoS-for-hire services. The operators of Zerobot are offering it for sale on various social media platforms and have modified it with new capabilities in development.
Extensive Exploits and Capabilities
Botnet operators are constantly adding exploits and capabilities to Zerobot, a Go-based malware that spreads mainly through IoT and web application vulnerabilities. The latest version of Zerobot Botnet, called 1.1, has several new features that enable it to target more devices and software while launching DDoS attacks against them.
On Wednesday, Microsoft researchers who have been monitoring Zerobot for months shared details about its latest 1.1 version in a blog post. According to their investigation, Zerobot uses brute force tactics to spread via vulnerable devices with insecure configurations or weak credentials. It can gain access to devices by using eight common usernames and 130 passwords over SSH and Telnet on standard ports 22 and 23.
The research team notes that Zerobot is distributed by its operators as part of a malware-as-a-service model and uses social media platforms for advertisement. Furthermore, the malware has been upgraded with several exploit modules to increase its attack vectors, including string obfuscation, copy file module and propagation exploit module.
Researchers report the Zerobot Botnet is capable of infecting numerous IoT devices without most security solutions being able to detect it due to its unique capabilities and advanced stealth functions. The malware’s AntiKill module prevents victims from disrupting it, while its self-replication feature enables it to infect more devices than ever before.
Furthermore, the malware is capable of launching DDoS attacks against compromised systems by downloading a script that it then self-propagates to other online devices. Once infected, it downloads a command-and-control (C&C) server so it can take control of the affected system and launch DDoS attacks.
Zerobot is capable of exploiting dozens of vulnerabilities that malware operators update regularly in order to gain access to infected systems and inject malicious payloads. It has the capacity to infect systems running AMD64, ARM, i386, MIPS64le, PPC64, RISC64 and S390x operating systems.
The malware is capable of launching various DDoS attacks against victims’ networks, such as pinging, flooding and DNS queries. This poses a serious danger since it could easily overwhelm victim networks with traffic and cause them to lose vital services.
Enhanced Persistence
Zerobot Botnet has emerged as an increasingly dangerous threat, boasting new exploits and capabilities. This Go-language malware spreads via vulnerabilities in IoT devices, gaining access to and compromising a wide range of endpoints in an effort to establish persistent control over these systems.
Persistence, or the capacity for malware to remain on a target system until its objectives have been fulfilled, is an essential strategy in malicious software, according to MITRE’s Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) database. Attackers need their code on a system for as long as possible in order to maintain control over it.
The ATT&CK list indicates that attackers employ more than 50 methods to gain persistence. One common strategy involves altering the registry on Windows systems, which allows malware to remain active even after it has achieved its objectives.
However, while this technique can be effective, it makes the infection harder to detect. This is particularly challenging on routers and other embedded devices which lack a hard drive.
Another challenge is that many network devices don’t reboot, making it easy for malware to remain undetected for an extended period. To make detection harder, the bot uses a feature which disables kernel watchdog so the device won’t reboot automatically when an error occurs.
Alternatively, the bot may attempt to pass itself off as busybox, a userspace package often found on embedded systems. Once located in the /bin directory, it can execute commands sent from its command-and-control server which is accessible on its own port.
Finally, the bot has a propagation exploit module that enables it to infect more IoT devices by exploiting vulnerabilities in web applications and other vulnerable technologies. This includes two Apache and Spark vulnerabilities tracked as CVE-2021-42013 and CVE-2022-33891.
On Wednesday, Microsoft identified a new version of the botnet that uses these exploits in combination with other modules to find additional devices to infect and sustain itself. It also includes new DDoS attack capabilities, one notable among them being its capacity to exploit Tenda GPON AC1200 command injection flaw which permits it to send TCP packets with all TCP flags set to “xmas.” This capability wasn’t present earlier versions which only sent traffic with all TCP flags set to “off.”
New DDoS Attack Capabilities
Recently, the Zerobot botnet has added more exploits and attack capabilities that make it increasingly sophisticated and effective at launching DDoS attacks. This malware-as-a-service (MaaS) botnet targets vulnerabilities in IoT and web application vulnerabilities which allow it to infect connected devices such as firewalls, routers, cameras, etc.
Since November, Zerobot has amassed an array of exploits and modules designed to target seven new types of vulnerable systems and software. Microsoft recently identified a version that adds capabilities for DDoS attacks as well as scanning the internet for additional devices to infect. The updated Zerobot variant can launch attacks using UDP, ICMP, TCP, SYN-ACK, and SYN-ACK protocols while scanning for honeypot IP addresses on the web.
Microsoft’s Threat Intelligence blog post about Zerobot 2.0 details how this latest version is written in Go and communicates via WebSockets, with string obfuscation, a copy file module and propagation exploit added for harder detection and increased DDoS attack capabilities.
Zerobot can infect a device by injecting a malicious payload that attempts to download binaries of various architectures through brute force methods. It may also utilize other persistence mechanisms depending on the operating system to maintain access to infected devices.
Once Zerobot has gained control of a device, it can execute botnet malware to add it to its network. This allows the botnet malware to spread further throughout more devices and ensure its persistence.
This gives it the capacity to launch DDoS attacks against other devices, including those within the botnet, as well as attack servers. This makes the botnet an incredibly valuable weapon for cybercriminals to use to demand ransom payments or divert attention away from other malicious activity on the network.
In addition to DDoS attack capabilities, the latest Zerobot version adds new capabilities that could be used to infiltrate victims’ networks and access their data. These include exploiting vulnerabilities in Apache and Spark (CVE-2021-42013 and CVE-2022-33891 respectively) as well as launching DDoS attacks against victim websites.
Next-generation bot defenses are essential for protecting against Zerobot and other malicious botnets. These solutions offer faster deployment times than traditional methods, as well as flexible integrations with other security tools. Furthermore, they obfuscate their code to prevent sophisticated botnet owners from reverse engineering its functionality – which is one of the most common tactics cybercriminals use to steal intellectual property.
