The Zerobot botnet has been upgraded to infect new devices by exploiting security vulnerabilities affecting Internet-exposed and unpatched Apache servers.
The Microsoft Defender for IoT research team also observed that this latest version adds new distributed denial-of-service (DDoS) capabilities.
Zerobot has been under active development since at least November, with new versions adding new modules and features to expand the botnet’s attack vectors and make it easier to infect new devices, including firewalls, routers, and cameras.
Since early December, the malware’s developers have removed modules that targeted phpMyAdmin servers, Dasan GPON home routers, and D-Link DSL-2750B wireless routers with year-old exploits.
The update spotted by Microsoft adds newer exploits to the malware’s toolkit, enabling it to target seven new types of devices and software, including unpatched Apache and Apache Spark servers.
The complete list of modules added to Zerobot 1.1 includes:
- CVE-2017-17105: Zivif PR115-204-P-RS
- CVE-2019-10655: Grandstream
- CVE-2020-25223: WebAdmin of Sophos SG UTM
- CVE-2021-42013: Apache
- CVE-2022-31137: Roxy-WI
- CVE-2022-33891: Apache Spark
- ZSL-2022-5717: MiniDVBLinux
“Microsoft researchers have also found new evidence that Zerobot propagates by compromising devices with known vulnerabilities that are not included in the malware binary, such as CVE-2022-30023, a command injection vulnerability in Tenda GPON AC1200 routers,” the Microsoft Security Threat Intelligence team said.
Last but not least, the updated malware now comes with seven new DDoS capabilities, including a TCP_XMAS attack method.
| Attack method | Description |
| UDP_RAW | Sends UDP packets where the payload is customizable. |
| ICMP_FLOOD | Supposed to be an ICMP flood, but the packet is built incorrectly. |
| TCP_CUSTOM | Sends TCP packets where the payload and flags are fully customizable. |
| TCP_SYN | Sends SYN packets. |
| TCP_ACK | Sends ACK packets. |
| TCP_SYNACK | Sends SYN-ACK packets. |
| TCP_XMAS | Christmas tree attack (all TCP flags are set). The reset cause field is “xmas”. |
This Go-based malware (also dubbed ZeroStresser by its developers) was first spotted in mid-November.
At the time, it used roughly two dozen exploits to infect various devices, including F5 BIG-IP, Zyxel firewalls, Totolink, D-Link routers, and Hikvision cameras.
It targets many system architectures and devices, including i386, AMD64, ARM, ARM64, MIPS, MIPS64, MIPS64le, MIPSle, PPC64, PPC64le, RISC64, and S390x.
Zerobot spreads through brute force attacks against unsecured devices with default or weak credentials and exploits vulnerabilities in Internet of Things (IoT) devices and web applications.
Once it infects a system, it downloads a script named “zero” that will allow it to self-propagate to more vulnerable devices exposed online.
The botnet gains persistence of compromised devices, and it’s being used to launch DDoS attacks over a range of protocols, but it can also provide its operators with initial access to victims’ networks.
