FortiGuard Labs discovered a special botnet named Zerobot that was seen in the field spreading by exploiting nearly twenty security flaws in IoT devices or other programs.
Prior to downloading a script for further propagation, Zerobot targets multiple vulnerabilities to obtain access to a device. Zerobot targets several different architectures, such as i386, amd64, arm, mips, mips64, mipsle, ppc64, ppc64le, riscv64, and s390x. Zero is the filename used to save the bot.
On November 18, 2022, the malware made its first public appearance, mostly affecting Windows and Linux-powered computers.
Prior to November 24, the first one was simply equipped with the most fundamental features. The newest version now has a 'selfRepo' module that allows it to replicate itself or infect more endpoints using various protocols or security holes.
The bot connects the remote command-and-control (C2) server after infecting the machine and waits for further instructions. There are 21 exploits in Zerobot.This includes flaws affecting, Spring Framework, D-Link DNS-320 NAS, Hikvision cameras, FLIR AX8 thermal imaging cameras, Zyxel firewalls, TOTOLINK routers, and F5 BIG-IP.
"The botnet includes a variety of modules, including assaults for various protocols, self-replication, and self-propagation. This also uses the WebSocket protocol to connect with its command-and-control server." Researcher Cara Lin from Fortinet FortiGuard Labs remarked.
The Go programming language was used to create the new botnet Zerobot. The WebSocket protocol is used for communication. Users should be alert to this new danger, update any compromised systems connected to their network, and aggressively deploy updates as soon as they become available.
