Zerobot: The Go-Powered Malware Exploiting Multiple Vulnerabilities

A novel Go-based botnet called Zerobot has been discovered in the wild exploiting security vulnerabilities in the internet of things (IoT) devices and other software. Zerobot is a Go-based botnet that takes advantage of nearly two dozen vulnerabilities to proliferate targeting a wide range of devices.

According to Fortinet FortiGuard Labs researcher Cara Lin, the botnet contains several modules for self-replication, attacking different protocols, and self-propagation. It also uses the WebSocket protocol to communicate with its command-and-control server. Because of these features, the malware can spread quickly and do a wide range of bad things.

The campaign began on November 18, 2022, and it went after Linux operating systems to take control of devices that were weak.

Zerobot is named after a propagation script it uses to retrieve malicious payload once it gains access to a host depending on the microarchitecture implementation it accessed (e.g., “zero.arm64”).

The Zerobot malware targets a wide range of CPU architectures, including i386, amd64, arm, arm64, mips, mips64, mips64le, mipsle, ppc64, ppc64le, riscv64, and s390x.Any host with with any of these architectures gets infected.

To date, two versions of Zerobot have been spotted. The first version has basic functions and was used before November 24, 2022. The second version, which is an updated variant with “selfRepo” module, is more advanced and dangerous and it includes a self-propagating module that allows it to breach devices using 21 exploits.

21 Exploit list in Zerobot

The two exploits named “ZERO_xxxxx” at the top of Figure 12 were collected from the website “0day.today” (Figure 14). This site shares numerous exploits for “educational” purposes. The numbers “36290” and “32960” were assigned from this website.

The 21 exploits include security vulnerabilities affecting TOTOLINK routers, Zyxel firewalls, F5 BIG-IP, Hikvision cameras, FLIR AX8 thermal cameras, D-Link DNS-320 network attached storage devices, and Spring Framework, among others.

“Within a very short time, it was updated with string obfuscation, a copy file module, and a propagation exploit module that make[s] it harder to detect and gives it a higher capability to infect more devices,” Lin said.

Also read: New RansomExx Ransomware Variant Switching to Rust Programming Language

Zerobot, after being installed on a compromised device, connects to a remote command-and-control (C2) server and awaits further instructions. This allows it to run arbitrary commands and launch attacks on various network protocols like TCP, UDP, TLS, HTTP, and ICMP.

Users should be aware of this threat and take steps to patch any affected systems on their network and apply patches as they become available.

19 thoughts on “Zerobot: The Go-Powered Malware Exploiting Multiple Vulnerabilities”

  1. Spot on with this write-up, I truly suppose this web site needs far more consideration. I’ll in all probability be once more to read far more, thanks for that info.

  2. I was suggested this web site by my cousin. I am not sure whether this post is written by him as nobody else know such detailed about my trouble. You are incredible! Thanks!

  3. Excellent pieces. Keep posting such kind of information on your site.

    Im really impressed by your blog.
    Hello there, You have performed an incredible job. I’ll definitely digg it and
    individually suggest to my friends. I am sure they
    will be benefited from this web site.

  4. I have been absent for some time, but now I remember why I used to love this site. Thanks , I will try and check back more frequently. How frequently you update your website?

  5. Pretty great post. I just stumbled upon your blog and wanted to mention that I have really enjoyed surfing around your blog posts. After all I will be subscribing to your feed and I’m hoping you write once more soon!

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top