Let's go back to Zerobot, which was originally reported by Fortinet two weeks ago.

The Internet of Things (IoT) botnet is a self-replicating and self-propagating malware written in the Golang (Go) language and aimed at more than twelve architectures, with a wide range of distributed DDoS capabilities.

 
Microsoft has published its own analysis of Zerobot, warning that the malware has been updated with additional features, including exploits for two vulnerabilities in Apache and Apache Spark, tracked as CVE-2021-42013 and CVE-2022-33891, respectively.

It is known that the server-side request forgery (SSRF) bug fixed in October 2021, CVE-2021-42013, was also used in other botnets, including Enemybot DDoS.

In addition to the previously discovered exploits, the Zerobot sample analyzed by Microsoft also includes exploits for CVE-2017-17105 (Zivif PR115-204-P-RS), CVE-2019-10655 (Grandstream), CVE-2020-25223 (Sophos SG UTM), CVE-2022-31137 (Roxy-WI) and ZSL-2022-5717 (MiniDVBLinux).

After Zerobot 1.1 was released, malware operators eliminated CVE-2018-12613, a phpMyAdmin vulnerability that could allow attackers to view or execute files.

At the same time, the researchers also found new evidence that Zerobot is spreading by compromising devices with known vulnerabilities that are not included in the malware binary, such as CVE-2022-30023, a command injection vulnerability in Tenda GPON AC1200 routers.

After the device is compromised, Zerobot implements a script to launch botnet malware (or a script to determine the architecture of the device and obtain the corresponding binary file), ensuring stability.

The threat does not target Windows computers, but Microsoft says it has discovered Zerobot samples that can run in a Windows environment.

The updated version of Zerobot contains several new features for launching DDoS attacks using UDP, ICMP, TCP, SYN, ACK and SYN-ACK protocols.

Zerobot can also scan the Internet for additional devices for infection. This feature allows it to scan sets of randomly generated IP addresses, trying to identify the bait IP addresses.

Microsoft has also identified a sample that can run on Windows based on a cross-platform (Linux, Windows, macOS) open source remote administration tool (RAT) with various functions such as process management, file operations, taking screenshots and executing commands.