Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
thnThe Hacker NewsTHN:A11694FE3CBE11A6BB13342E34450CE1
HistoryDec 07, 2022 - 4:03 a.m.

New Go-based Botnet Exploiting Exploiting Dozens of IoT Vulnerabilities to Expand its Network

2022-12-0704:03:00
The Hacker News
thehackernews.com
36
zerobot
botnet
exploiting
go-based
iot vulnerabilities
windows
linux
self-replication
command-and-control
websocket
microarchitecture
malware
cpu architectures
self-propagating
exploits
totolink routers
zyxel firewalls
f5 big-ip
hikvision cameras
flir ax8
d-link dns-320 nas
spring framework
ddos attacks
string obfuscation
JSON

Zerobot Botnet IoT Vulnerabilities

> NOTE: In this blog, Zerobot refers to a botnet that spreads primarily through IoT and web application vulnerabilities. It is not associated with the chatbot ZeroBot.ai.

A novel Go-based botnet called Zerobot has been observed in the wild proliferating by taking advantage of nearly two dozen security vulnerabilities in the internet of things (IoT) devices and other software.

The botnet “contains several modules, including self-replication, attacks for different protocols, and self-propagation,” Fortinet FortiGuard Labs researcher Cara Lin said. “It also communicates with its command-and-control server using the WebSocket protocol.”

The campaign, which is said to have commenced after November 18, 2022, primarily singles out Windows and Linux operating systems to gain control of vulnerable devices.

Zerobot gets its name from a propagation script that’s used to retrieve the malicious payload after gaining access to a host depending on its microarchitecture implementation (e.g., “zero.arm64”).

The malware is designed to target a wide range of CPU architectures such as i386, amd64, arm, arm64, mips, mips64, mips64le, mipsle, ppc64, ppc64le, riscv64, and s390x.

Two versions of Zerobot have been spotted to date: One used before November 24, 2022, that comes with basic functions and an updated variant that includes a self-propagating module to breach other endpoints using 21 exploits.

UPCOMING WEBINAR

[Shield Against Insider Threats: Master SaaS Security Posture Management

](<https://thn.news/I26t1VFD&gt;)

Worried about insider threats? We’ve got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.

Join Today

This comprises vulnerabilities impacting TOTOLINK routers, Zyxel firewalls, F5 BIG-IP, Hikvision cameras, FLIR AX8 thermal imaging cameras, D-Link DNS-320 NAS, and Spring Framework, among others.

Zerobot, upon initialization in the compromised machine, establishes contact with a remote command-and-control (C2) server and awaits further instructions that allow it to run arbitrary commands and launch DDoS attacks for different network protocols like TCP, UDP, TLS, HTTP, and ICMP.

“Within a very short time, it was updated with string obfuscation, a copy file module, and a propagation exploit module that make[s] it harder to detect and gives it a higher capability to infect more devices,” Lin said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

JSON