A new Go-based malware dubbed “Zerobot” has been spotted in the wild exploiting over two dozen vulnerabilities across a variety of device types. These devices include firewalls from F5, BIG-IP, and Zyxel, Totolink and D-Link routers, and Hikvision network cameras.
The current purpose of the malware appears to be to set up a DDoS botnet to launch attacks against specified targets. Zerobot includes the capability to scan the network of the infected device and self-propagate to other devices, increasing the size of its botnet in an automated fashion. It does this via bruteforcing SSH/Telnet credentials or via one of many exploits. Zerobot currently supports 21 exploits across a wide array of network and IoT devices that it will attempt to use upon discovering such a device in the network.
Alongside the DDoS capability, Zerobot also includes the capability to run commands on the infected device, potentially allowing it to be used for initial access into an environment. It also includes an aggressive anti-kill module, making it difficult to terminate a running infected process. Since its initial discovery in mid-November, there have been many updates to the malware, indicating that the malware is under active development.
Analyst Notes
It is highly recommended to make sure that all devices, including any network or IoT devices, that are exposed to the Internet are up-to-date on patching. The main infection vector of Zerobot is using one of the 21 exploits it supports to infect an Internet accessible device and propagating within the network from there. By making sure that all devices are properly patched, the attack surface that Zerobot can use to infect an environment is greatly reduced. It is also recommended to use strong authentication mechanisms for any devices that need to have SSH accessible from the Internet. This would include security controls such as exclusively using public key authentication or, if not possible, very strong passwords for all accounts that have SSH access configured. Zerobot also performs some behaviors during its infection process and initial access that would be considered suspicious. These suspicious behaviors include a process copying itself to the Windows “Startup” folder for persistence, network scanning activity from an abnormal system, and an abnormal process running suspicious built-in commands. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs.
https://www.bleepingcomputer.com/news/security/new-zerobot-malware-has-21-exploits-for-big-ip-zyxel-d-link-devices/
https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities