Zerobot

Original Issue Date:- December 12, 2022
Virus Type:- Malware botnet
Severity:- High

It has been observed that a newly surfaced malware botnet named ‘Zerobot’ written in Google’s open-source programming language Golang, is targeting vulnerabilities in the variety of devices including application delivery services, firewalls, routers and DVR/cameras etc. Zerobot incorporates exploits for 21 vulnerabilities and uses them to gain access to the device, downloads script named "zero," which could allow itself to self-propagate. The malware is at modification phase and has been recently updated with string obfuscation, copy file module and propagation exploit module that make it harder to detect and gives it a higher capability to infect more devices. It may allow remote attackers to gain access of vulnerable systems and its Anti-Kill module prevents victims from disrupting the Zerobot program.

Infection Mechanism: The new Golang-based malware botnet is designed to target a wide range of CPU architectures such as i386, amd64, arm, arm64, mips, mips64, mips64le, mipsle, ppc64, ppc64le, riscv64, and s390x. Zerobot targets several vulnerabilities to gain access to a device and then downloads a script for further propagation. Zerobot gets its name from a propagation script that's used to retrieve the malicious payload after gaining access to a host depending on its microarchitecture implementation (e.g., "zero.arm64").

Zerobot, upon initialization in the compromised machine, establishes contact with a remote command-and-control (C2) server and awaits further instructions that allow it to run arbitrary commands and launch DDoS attacks for different network protocols like TCP, UDP, TLS, HTTP, and ICMP. Zerobot includes 21 exploits. In addition to some IoT vulnerabilities, it includes Spring4Shell, phpAdmin, F5 Big, etc., to increase its success rate. The malware also uses an "anti-kill" module designed to prevent terminating or killing its process.

Zerobot, upon initialization in the compromised machine, establishes contact with a remote command-and-control (C2) server and awaits further instructions that allow it to run arbitrary commands and launch DDoS attacks for different network protocols like TCP, UDP, TLS, HTTP, and ICMP. Zerobot includes 21 exploits. In addition to some IoT vulnerabilities, it includes Spring4Shell, phpAdmin, F5 Big, etc., to increase its success rate. The malware also uses an "anti-kill" module designed to prevent terminating or killing its process.

Zerobot uses the following exploits to breach its targets:

  • CVE-2014-08361: miniigd SOAP service in Realtek SDK
  • CVE-2017-17106: Zivif PR115-204-P-RS webcams
  • CVE-2017-17215: Huawei HG523 router
  • CVE-2018-12613: phpMyAdmin
  • CVE-2020-10987: Tenda AC15 AC1900 router
  • CVE-2020-25506: D-Link DNS-320 NAS
  • CVE-2021-35395: Realtek Jungle SDK
  • CVE-2021-36260: Hikvision product
  • CVE-2021-46422: Telesquare SDT-CW3B1 router
  • CVE-2022-01388: F5 BIG-IP
  • CVE-2022-22965: Spring MVC and Spring WebFlux (Spring4Shell)
  • CVE-2022-25075: TOTOLink A3000RU router
  • CVE-2022-26186: TOTOLink N600R router
  • CVE-2022-26210: TOTOLink A830R router
  • CVE-2022-30525: Zyxel USG Flex 100(W) firewall
  • CVE-2022-34538: MEGApix IP cameras
  • CVE-2022-37061: FLIX AX8 thermal sensor cameras

Indicators of Infection

Hashes:

C2:

176[.]65[.]137[.]5

Files:

  • 7ae80111746efa1444c6e687ea5608f33ea0e95d75b3c5071e358c4cccc9a6fc
  • df76ab8411ccca9f44d91301dc2f364217e4a5e4004597a261cf964a0cd09722
  • cd9bd2a6b3678b61f10bb6415fb37ea6b9934b9ec8bb15c39c543fd32e9be7bb
  • 50d6c5351c6476ea53e3c0d850de47059db3827b9c4a6ab4d083dfffcbde3579
  • 7722abfb3c8d498eb473188c43db8abb812a3b87d786c9e8099774a320eaed39
  • 2955dc2aec431e5db18ce8e20f2de565c6c1fb4779e73d38224437ac6a48a564
  • 191ce97483781a2ea6325f5ffe092a0e975d612b4e1394ead683577f7857592f
  • 447f9ed6698f46d55d4671a30cf42303e0bd63fe8d09d14c730c5627f173174d
  • e0766dcad977a0d8d0e6f3f58254b98098d6a97766ddac30b97d11c1c341f005
  • 6c284131a2f94659b254ac646050bc9a8104a15c8d5482877d615d874279b822
  • 5af002f187ec661f5d274149975ddc43c9f20edd6af8e42b6626636549d2b203
  • 74f8a26eb324e65d1b71df9d0ed7b7587e99d85713c9d17c74318966f0bead0a
  • 9c16171d65935817afd6ba7ec85cd0931b4a1c3bafb2d96a897735ab8e80fd45
  • b1d67f1cff723eda506a0a52102b261769da4eaf0551b10926c7c79a658061fd
  • f0bb312eacde86d533c922b87e47b8536e819d7569baaec82b9a407c68084280
  • 2460434dabafe5a5dde0cce26b67f0230dbcd0d0ab5fabad1a1dbc289dc6432f
  • 2af33e1ff76a30eb83de18758380f113658d298690a436d817bd7e20df52df91
  • 4483c4f07e651ce8218216dd5c655622ff323bf3cdfe405ffeb69eafa75efad5
  • 7c085185f6754aef7824c201d8443300ff2b104521d82f9a8b8feb5d4c8d3191
  • 6ac49092ee1bdd55ddbf57df829f20aac750597d85b5904bb7bafa5b51fbb44d
  • f9fc370955490bdf38fc63ca0540ce1ea6f7eca5123aa4eef730cb618da8551f
  • 6dd71163b6ab81a35ce373875a688ad9b31e0d1c292f02e8b2bafa7b3d1e3731
  • d88e9248ff4c983aa9ae2e77cf79cb4efc833c947ec2d274983e45c41bbe47e1
  • 96bbb269fd080fedd01679ea82156005a16724b3cde1eb650a804fa31f18524e
  • 439b2e500e82c96d30e1ef8a7918e1f864e6d706d944aeddffe61b8bf81ef6d3
  • af48b072d0070fa09bca0868848b62df5228c34ef24d233d8eb75a1fde8ac23f
  • 5824fc51fcfba1a6315fd21422559d63c56f0e2192937085d65f9a0ac770eb3a
  • c9ea4cda12c14c895e23988229831b8f04ccab315c1cbc76a9efae888be55a3b
  • e2c2a0cccefc4314c110f3c0b887e5008073e607c61e1adde5000efb8e630d50

Best practices and remedial measures:

  • It is recommended to keep the software up to date with latest security updates
  • Install the latest firmware and use a properly configured firewall.
  • Ensure minimal exposure to the Internet on Linux servers and IoT devices Monitor network traffic, outbound port scans, and unreasonable bandwidth usage.
  • It is advised to carry out timely patching of internet-connected devices to avoid becoming a victim of Zerobot

Additional measures for securing IOT devices:

  • Restrict Web Management Interface access of IoT devices to authorized users only and change default username/passwords
  • Always change Default login credentials before deployment in production.
  • Change default credentials at device startup and ensure that passwords meet the minimum complexity.
  • Disable Universal Plug and Play (UPnP) on IoT devices unless absolutely required
  • Users should be aware of the installed devices and their capabilities. If a device comes with a default password or an open Wi-Fi connection, users should change the password and only allow it to operate on a home network with a secured Wi-Fi router
  • Control access to the devices with Access List
  • Configure devices to "lock" or log out and require a user to re-authenticate if left unattended
  • Implement account lockout policies to reduce the risk of brute forcing attacks
  • Identify systems with default passwords and implement abovementioned measures. Some the systems that need to examined are Routers, switches, web applications and administrative web interfaces, ICS systems, Telnet and SSH interfaces
  • Telnet and SSH should be disabled on device if there is no requirement of remote management
  • Configure VPN and SSH to access device if remote access is required.
  • Configure certificate based authentication for telnet client for remote management of devices
  • Implement Egress and Ingress filtering at router level.
  • Report suspicious entries in Routers to your Internet Service Provider/CERT-In
  • Keep up to date Antivirus on the computer system.
  • Keep up-to-date on patches and fixes on the IoT devices, operating system and applications.
  • Unnecessary port and services should be stopped and closed.
  • Logging must be enabled on the device to log all the activities.
  • Enable and monitor perimeter device logs to detect scan attempts towards critical devices/systems.

References: