A new Go-based malware dubbed “Zerobot” has been spotted in the wild exploiting over two dozen vulnerabilities across a variety of device types. These devices include firewalls from F5, BIG-IP, and Zyxel, Totolink and D-Link routers, and Hikvision network cameras.
The current purpose of the malware appears to be to set up a DDoS botnet to launch attacks against specified targets. Zerobot includes the capability to scan the network of the infected device and self-propagate to other devices, increasing the size of its botnet in an automated fashion. It does this via bruteforcing SSH/Telnet credentials or via one of many exploits. Zerobot currently supports 21 exploits across a wide array of network and IoT devices that it will attempt to use upon discovering such a device in the network.
Alongside the DDoS capability, Zerobot also includes the capability to run commands on the infected device, potentially allowing it to be used for initial access into an environment. It also includes an aggressive anti-kill module, making it difficult to terminate a running infected process. Since its initial discovery in mid-November, there have been many updates to the malware, indicating that the malware is under active development.