A new botnet malware named ZeroBot has been detected that spreads through IoT security vulnerabilities. Developed with Golang, Zerobot exploits multiple vulnerabilities detected in IoT devices to gain access to targeted systems and spread further.
Vulnerabilities exploited in the deployment process of Zerobot malware include bugs in Zyxel firewalls, TOTOLINK routers, F5 BIG-IP, Spring Framework, D-Link DNS-320 NAS, Hikvision cameras, and FLIR AX8 thermal imaging cameras. It has also been observed that the botnet targets i386, amd64, arm, mips64le, mipsle, arm64, mips, mips64, ppc64, ppc64le, riscv64 and s390x CPU architectures. After communicating with the command and control (C2) server via the WebSocket Protocol, additional instructions allow Zerobot to execute arbitrary commands and launch attacks over various network protocols, including TCP, TLS, UDP, ICMP, and HTTP.
Zerobot is developed with a propagation exploit module that makes it harder to detect as it infects more IoT devices. Zerobot has been identified as a critical threat as it can gain unauthorized access to vulnerable systems and prevent targets from stopping the Zerobot program through its AntiKill module.
In this context, in order not to be the target of attacks that can be carried out using Zerobot, it is recommended to use the most up-to-date versions of the systems and programs used and to prevent the shared IoC findings related to the botnet from the security solutions in use.