New Zerobot malware has 21 exploits for BIG-IP, Zyxel, D-Hyperlink units

New Zerobot malware has 21 exploits for BIG-IP, Zyxel, D-Hyperlink units

A brand new Go-based malware named ‘Zerobot’ has been noticed in mid-November utilizing exploits for nearly two dozen vulnerabilities in a wide range of units that embody F5 BIG-IP, Zyxel firewalls, Totolink and D-Hyperlink routers, and Hikvision cameras.

The aim of the malware is so as to add compromised units to a distributed denial-of-service (DDoS) botnet to launch highly effective assaults towards specified targets.

Zerobot can scan the community and self-propagate to adjoining units in addition to run instructions on Home windows (CMD) or Linux (Bash).

Safety researchers at Fortinet found Zerobot and say that since November a brand new model has emerged with further modules and exploits for brand spanking new flaw, indicating that the malware is beneath energetic growth.

Exploiting its approach in

The malware can goal a variety of system architectures and units, together with i386, AMD64, ARM, ARM64, MIPS, MIPS64, MIPS64le, MIPSle, PPC64, PPC64le, RISC64, and S390x.

Zerobot incorporates exploits for 21 vulnerabilities and makes use of them to realize entry to the system. Then it downloads a script named “zero,” which permits it to self propagate.

Fetching the zero script to enable propagation
Fetching the zero script to allow propagation (Fortinet)

Zerobot makes use of the next exploits to breach its targets:

  • CVE-2014-08361: miniigd SOAP service in Realtek SDK
  • CVE-2017-17106: Zivif PR115-204-P-RS webcams
  • CVE-2017-17215: Huawei HG523 router
  • CVE-2018-12613: phpMyAdmin
  • CVE-2020-10987: Tenda AC15 AC1900 router
  • CVE-2020-25506: D-Hyperlink DNS-320 NAS
  • CVE-2021-35395: Realtek Jungle SDK
  • CVE-2021-36260: Hikvision product
  • CVE-2021-46422: Telesquare SDT-CW3B1 router
  • CVE-2022-01388: F5 BIG-IP
  • CVE-2022-22965: Spring MVC and Spring WebFlux (Spring4Shell)
  • CVE-2022-25075: TOTOLink A3000RU router
  • CVE-2022-26186: TOTOLink N600R router
  • CVE-2022-26210: TOTOLink A830R router
  • CVE-2022-30525: Zyxel USG Flex 100(W) firewall
  • CVE-2022-34538: MEGApix IP cameras
  • CVE-2022-37061: FLIX AX8 thermal sensor cameras

Moreover, the botnet makes use of 4 exploits that haven’t been assigned an identifier. Two of them are focusing on GPON terminals and D-Hyperlink routers. Particulars concerning the different two are unclear for the time being.

Zerobot capabilities

After establishing its presence on the compromised system, Zerobot units a WebSocket connection to the command and management (C2) server and sends some primary details about the sufferer.

The C2 might reply with one of many following instructions:

  • ping – Heartbeat, sustaining the connection
  • assault – Launch assault for various protocols: TCP, UDP, TLS, HTTP, ICMP
  • cease – Cease assault
  • replace – Set up replace and restart Zerobot
  • enable_scan – Scan for open ports and begin spreading itself by way of exploit or SSH/Telnet cracker
  • disable_scan – Disable scanning
  • command – Run OS command, cmd on Home windows and bash on Linux
  • kill – Kill botnet program

The malware additionally makes use of an “anti-kill” module designed to stop terminating or killing its course of.

At present, Zerobot is primarily centered on launching DDoS assaults. Nevertheless, it could possibly be used as for preliminary entry, too.

Fortinet says that since Zerobot first appeared on November 18 its developer has improved it with string obfuscation, a duplicate file module, a self-propagation module, and a number of other new exploits.