New exploits and attack capabilities have been added to the mass botnet, which spreads primarily through vulnerabilities in IoT and web applications, Microsoft warns.
Zerobot (aka ZeroStresser) is a Go-based botnet sold in the cybercrime underground via a malware-as-a-service model, making it relatively easy for developers to update their functionality on a regular basis.
Botnets are primarily used for distributed denial of service (DDoS) attacks and consist of compromised connected devices such as firewall devices, routers, and cameras, according to a new blog from the Microsoft Security Threat Intelligence team.
The company recently observed Zerobot exploiting vulnerabilities in Apache (CVE-2021-42013) and Apache Spark (CVE-2022-33891) to compromise these devices.
This is in addition to brute force devices that are only protected by default or weak credentials.
“Once gaining device access, Zerobot injects a malicious payload, either a generic script called zero.sh that attempts to download and run Zerobot, or a script that downloads Zerobot binaries for specific architectures. There could be,” explained Microsoft.
“A bash script that tries to download different Zerobot binaries will try to identify the architecture by brute force, and will try to download and execute binaries of different architectures until it succeeds. IoT devices have many computer processing units (CPU ) because it is based on
To achieve persistence on Linux devices, Zerobot uses a combination of desktop entries, daemons and service methods, while on Windows it copies itself to the startup folder with the filename “FireWall.exe”.
Zerobot 1.1 also has seven new DDoS attack capabilities designed to make botnets more attractive to potential buyers.
“Almost all attacks have customizable destination ports, allowing threat actors who purchase malware to modify their attacks depending on their target,” explains Microsoft.
To mitigate threats from Zerobot and similar botnets, Microsoft urged companies to:
- Invest in security solutions with detection capabilities across multiple layers (email, apps, endpoints, etc.).
- Adopt IoT-specific security tools to provide enhanced threat detection and response
- Make sure your IoT devices are securely configured, have the latest firmware, and use least privilege access
- Harden your endpoints with application control and clean up unused stale executables on user devices.
