Zerobot malware now shooting for Apache systems

The Zerobot botnet, first detected earlier this month, is expanding the types of Internet of Things (IoT) devices it can compromise by going after Apache systems.

The botnet, written in the Go programming language, is being sold as the malware-as-a-service (MaaS) model and spreads through vulnerabilities in IoT devices and web applications, according to the Microsoft Security Threat Intelligence (MSTIC) team in a report released on Wednesday.

Zerobot was first reported on in early December by researchers at Fortinet's FortiGuard Labs, who said the botnet was targeting Linux devices. Like typical botnets, the goal is to compromise internet-connected devices like firewalls, routers, and cameras and pull them into a botnet to launch DDoS attacks.

MSTIC's report this week builds off FortiGuard's initial findings by detailing advancements in the botnet's latest iteration.

"Zerobot 1.1 increases its capabilities with the inclusion of new attack methods and new exploits for supported architectures, expanding the malware's reach to different types of devices," MSTIC researchers wrote.

They wrote that Zerobot – which also known by its operators as ZeroStresser and is tracked by Microsoft as DEV-1061 – uses multiple modules to infect vulnerable devices that are based on a range of architectures and operating systems. But the latest upgrade is going after Apache and Apache Spark systems.

Zerobot 1.1 can now exploit vulnerabilities in Apache (CVE-2021-42013) and Apache Spark (CVE=2022-33891), according to MSTIC. There also are other vulnerabilities in the MiniDVBLinux DVR systems, Grandstream networking systems, and Roxy-WI GUI.

The botnet exploits vulnerabilities on unpatched or badly secured devices and in some cases will use brute-force techniques on vulnerable devices that include insecure configurations that use default or weak credentials, the researchers wrote.

"The malware may attempt to gain device access by using a combination of eight common usernames and 130 passwords for IoT devices over SSH and telnet on ports 23 and 2323 to spread to devices," they wrote, adding that there also have been attempts to open ports and connect to them via port-knocking on ports 80, 8080, 8888, and 2323.

• Godfather malware makes banking apps an offer they can't refuse
• Malicious PyPI package found posing as a SentinelOne SDK
• Cisco's Talos security bods predict new wave of Excel Hell
• Microsoft reports macOS Gatekeeper has an 'Achilles' heel

In addition, the malware can spread to devices by exploiting vulnerabilities that aren't included in its binary, such as CVE-2022-30023, a command injection vulnerability in GPON AC1200 routers from Tenda.

The botnet drops a malicious payload that is either a generic script called zero.sh to execute Zerobot or a script that downloads the Zerobot binary of a specific architecture by brute force.

One ZeroStresser domain associated with Zerobot was among almost 50 domains seized by the FBI earlier this monthy for launching DDoS attacks around the world.

IoT devices are powered by a range of CPU architectures, from x86 to Arm to MIPs. Zerobot keeps hammering away with binaries until it finds the right one.

The malware also has different persistence techniques depending on the operating system. It can't spread to Windows systems, but the researchers wrote that they've found samples that can run on Windows and spared via the Startup folder. On Linux-based systems, it uses a combination of desktop entry, daemon, and service configurations.

The Windows samples are based on an open-source cross-platform – Windows, Linux, and macOS – malware.

Zerobot was known to have nine different methods of launching DDoS attacks and the MSTIC researchers found seven more, including UDP and TCP packets with customizable payloads and sending SYN (synchronize) or ACK (acknowledgement) packets either individually or combined.

The MSTIC researchers said the operators behind Zerobot are using it as part of a MaaS scheme and that it has been updated several times since Microsoft began tracking it.

"We have tracked advertisements for the Zerobot botnet on various social media networks in addition to other announcements regarding the sale and maintenance of the malware, as well as new capabilities in development," they wrote. ®