A prolific botnet that spreads primarily through IoT and web application vulnerabilities has added new exploits and attack capabilities, Microsoft has warned.
Zerobot (aka ZeroStresser) is a Go-based botnet sold on the cybercrime underground via a malware-as-a-service model, which makes it relatively easy for its developers to update functionality regularly.
Mainly used for distributed denial of service (DDoS) attacks, the botnet is comprised of compromised connected devices such as firewall devices, routers and cameras, according to a new blog from the Microsoft Security Threat Intelligence team.
The tech giant recently observed Zerobot exploiting vulnerabilities in Apache (CVE-2021-42013) and Apache Spark (CVE-2022-33891) in order to compromise these devices.
That’s in addition to brute-forcing devices protected only by default or weak credentials.
“Upon gaining device access, Zerobot injects a malicious payload, which may be a generic script called zero.sh that downloads and attempts to execute Zerobot, or a script that downloads the Zerobot binary of a specific architecture,” Microsoft explained.
“The bash script that attempts to download different Zerobot binaries tries to identify the architecture by brute-force, attempting to download and execute binaries of various architectures until it succeeds, as IoT devices are based on many computer processing units (CPUs).”
To achieve persistence on Linux devices, Zerobot uses a combination of desktop entry, daemon and service methods, while on Windows it copies itself to the Startup folder with the file name “FireWall.exe,” Microsoft added.
Zerobot 1.1 also has seven new DDoS attack capabilities designed to make the botnet a more attractive prospect to would-be buyers.
“In almost every attack, the destination port is customizable, and threat actors who purchase the malware can modify the attack according to their target,” Microsoft explained.
To mitigate the threat from Zerobot and similar botnets, Microsoft urged firms to:
- Invest in security solutions with detection capabilities across multiple layers (i.e. email, apps, endpoints ,etc.)
- Adopt IoT-specific security tools to provide enhanced threat detection and response
- Make sure IoT devices are securely configured, up to date with firmware and use least privilege access
- Harden endpoints with application control and clean up any unused and stale executables on user devices