A new Go-based malware named Zerobot has been spotted in mid-November, using exploits for almost two dozen vulnerabilities in a variety of devices.
The goal is to add compromised devices to a distributed denial-of-service (DDoS) botnet so that they can launch powerful attacks against specified targets.
Zerobot can run commands on Windows or Linux, as well as scans the network and self-gate to adjacent devices.
Continue to watch after the ad Visit Advertiser website
According to security researchers at Fortinet, a new version of Zerobot has emerged with additional modules and exploits for a new flaw, indicating that it is under development.
Exploiting its way into.
There is a range of system architectures and devices that can be targeted by the software.
Zerobot uses exploits to gain access to the device. It downloads a script called “zero”, which allows it to self propagation.
The zero script needs to be forwarded to enable propagation.
Zerobot uses a number of exploits to break its targets.
There is a miniigd SOAP service in the SDK.
Zivif has webcams.
There is a problem with the HUAWEI HG523 routers.
There is a bug in the database called the phpMyAdmin.
The Tenda AC15 AC1900 router is on the list.
D-Link is a provider of internet access.
There is a security issue with the Realtek Jungle SDK.
There is a product called Hikvision product.
The Telesquare SDT-CW3B1 router is a topic of discussion.
F5 big-ip is a topic of discussion.
Spring WebFlux (Spring4Shell) is an example of Spring MVC and Spring.
There is a bug in the TOTOLink A3000RU Router.
There is a bug in the TOTOLink N600R routers.
The TOTOLink A830R is a routers.
The Zyxel USG Flex 100(W) firewall is currently being used.
There is a bug in the MEGApix cameras.
The FLIX AX8 thermal sensor cameras have been identified.
Four exploits that have not been assigned an identifier are used by the botnet. Two of them are looking at GPON and D-Link. At the moment, there are no details about the other two.
ZeroBot functions.
After establishing its presence on the compromised device, Zerobot sets a WebSocket connection to the C2 server and sends some basic information about the victim.
The C2 may respond with one of the commands.
Maintaining the connection is done by ping.
launch attack for different protocols.
Attack stop.
Zerobot should be updated and restart.
Scan for open ports and then spread itself via exploit or a Telnet cracker.
disabling scanning is the way to go.
OS command, cmd, and bash can be done on Windows and Linux.
The program to kill it is called the botnet program.
The anti-kill module is designed to stop the process from being terminated.
Zerobot is mostly focused on launching attacks. Initial access could be used as well.
The developer of Zerobot has improved it with string obfuscation, a copy file module, and several new exploits.
