The Zerobot DDoS botnet first discovered earlier this month has received significant updates to expand its capabilities in recently discovered samples. These updates include its expanded capability to target more Internet-connected devices and grow its botnet.
Zerobot now includes the capability to exploit seven more vulnerabilities, expanding its list of exploits to over 28. This includes CVE-2021-42013 and CVE-2022-33891, vulnerabilities in Apache and Apache Spark, respectively, that can allow for remote code execution on the vulnerable system. In addition to these new exploits, Zerobot now also includes the capability to brute-force open SSH and Telnet ports in an attempt to spread itself to more systems. Zerobot also incorporates seven new DDoS attack methods in order to target additional Internet-connected devices in its attacks. These new methods include the ability to use different protocols, including UDP and ICMP, to initiate DDoS attacks against targets.
Zerobot, also called ZeroStresser by its operators, is marketed as a DDoS-for-hire service that other criminal actors can purchase to use against whoever they want to target. The malware’s rapid evolution over the past month shows the operators’ intent to continue to entice threat actors into picking their service over others by expanding capabilities and features.