Cert-In - Home Page

VIRUS ALERTS

Zerobot)

Original Issue Date:December 12,2022

Virus Type: Malware Botnet

It has been observed that a newly surfaced malware botnet named "Zerobot" written in Google's open-source programming language Golang, is targeting vulnerabilities in the variety of devices including application delivery services, firewalls, routers and DVR/cameras etc. Zerobot incorporates exploits for 21 vulnerabilities and uses them to gain access to the device, downloads script named "zero," which could allow itself to self-propagate. The malware is at modification phase and has been recently updated with string obfuscation, copy file module and propagation exploit module that make it harder to detect and gives it a higher capability to infect more devices. It may allow remote attackers to gain access of vulnerable systems and its Anti-Kill module prevents victims from disrupting the Zerobot program.

Infection Mechanism: The new Golang-based malware botnet is designed to target a wide range of CPU architectures such as i386, amd64, arm, arm64, mips, mips64, mips64le, mipsle, ppc64, ppc64le, riscv64, and s390x. Zerobot targets several vulnerabilities to gain access to a device and then downloads a script for further propagation. Zerobot gets its name from a propagation script that"s used to retrieve the malicious payload after gaining access to a host depending on its microarchitecture implementation (e.g., "zero.arm64").

Zerobot, upon initialization in the compromised machine, establishes contact with a remote command-and-control (C2) server and awaits further instructions that allow it to run arbitrary commands and launch DDoS attacks for different network protocols like TCP, UDP, TLS, HTTP, and ICMP. Zerobot includes 21 exploits. In addition to some IoT vulnerabilities, it includes Spring4Shell, phpAdmin, F5 Big, etc., to increase its success rate. The malware also uses an "anti-kill" module designed to prevent terminating or killing its process.

Zerobot uses the following exploits to breach its targets:

CVE-2014-08361: miniigd SOAP service in Realtek SDK
CVE-2017-17106: Zivif PR115-204-P-RS webcams
CVE-2017-17215: Huawei HG523 router
CVE-2018-12613: phpMyAdmin
CVE-2020-10987: Tenda AC15 AC1900 router
CVE-2020-25506: D-Link DNS-320 NAS
CVE-2021-35395: Realtek Jungle SDK
CVE-2021-36260: Hikvision product
CVE-2021-46422: Telesquare SDT-CW3B1 router
CVE-2022-01388: F5 BIG-IP
CVE-2022-22965: Spring MVC and Spring WebFlux (Spring4Shell)
CVE-2022-25075: TOTOLink A3000RU router
CVE-2022-26186: TOTOLink N600R router
CVE-2022-26210: TOTOLink A830R router
CVE-2022-30525: Zyxel USG Flex 100(W) firewall
CVE-2022-34538: MEGApix IP cameras
CVE-2022-37061: FLIX AX8 thermal sensor cameras

Indicators of Infection

Hashes:

C2:

176[.]65[.]137[.]5

Files:

7ae80111746efa1444c6e687ea5608f33ea0e95d75b3c5071e358c4cccc9a6fc
df76ab8411ccca9f44d91301dc2f364217e4a5e4004597a261cf964a0cd09722
cd9bd2a6b3678b61f10bb6415fb37ea6b9934b9ec8bb15c39c543fd32e9be7bb
50d6c5351c6476ea53e3c0d850de47059db3827b9c4a6ab4d083dfffcbde3579
7722abfb3c8d498eb473188c43db8abb812a3b87d786c9e8099774a320eaed39
2955dc2aec431e5db18ce8e20f2de565c6c1fb4779e73d38224437ac6a48a564
191ce97483781a2ea6325f5ffe092a0e975d612b4e1394ead683577f7857592f
447f9ed6698f46d55d4671a30cf42303e0bd63fe8d09d14c730c5627f173174d
e0766dcad977a0d8d0e6f3f58254b98098d6a97766ddac30b97d11c1c341f005
6c284131a2f94659b254ac646050bc9a8104a15c8d5482877d615d874279b822
5af002f187ec661f5d274149975ddc43c9f20edd6af8e42b6626636549d2b203
74f8a26eb324e65d1b71df9d0ed7b7587e99d85713c9d17c74318966f0bead0a
9c16171d65935817afd6ba7ec85cd0931b4a1c3bafb2d96a897735ab8e80fd45
b1d67f1cff723eda506a0a52102b261769da4eaf0551b10926c7c79a658061fd
f0bb312eacde86d533c922b87e47b8536e819d7569baaec82b9a407c68084280
2460434dabafe5a5dde0cce26b67f0230dbcd0d0ab5fabad1a1dbc289dc6432f
2af33e1ff76a30eb83de18758380f113658d298690a436d817bd7e20df52df91
4483c4f07e651ce8218216dd5c655622ff323bf3cdfe405ffeb69eafa75efad5
7c085185f6754aef7824c201d8443300ff2b104521d82f9a8b8feb5d4c8d3191
6ac49092ee1bdd55ddbf57df829f20aac750597d85b5904bb7bafa5b51fbb44d
f9fc370955490bdf38fc63ca0540ce1ea6f7eca5123aa4eef730cb618da8551f
6dd71163b6ab81a35ce373875a688ad9b31e0d1c292f02e8b2bafa7b3d1e3731
d88e9248ff4c983aa9ae2e77cf79cb4efc833c947ec2d274983e45c41bbe47e1
96bbb269fd080fedd01679ea82156005a16724b3cde1eb650a804fa31f18524e
439b2e500e82c96d30e1ef8a7918e1f864e6d706d944aeddffe61b8bf81ef6d3
af48b072d0070fa09bca0868848b62df5228c34ef24d233d8eb75a1fde8ac23f
5824fc51fcfba1a6315fd21422559d63c56f0e2192937085d65f9a0ac770eb3a
c9ea4cda12c14c895e23988229831b8f04ccab315c1cbc76a9efae888be55a3b
e2c2a0cccefc4314c110f3c0b887e5008073e607c61e1adde5000efb8e630d50

Best practices and remedial measures:

It is recommended to keep the software up to date with latest security updates
Install the latest firmware and use a properly configured firewall.
Ensure minimal exposure to the Internet on Linux servers and IoT devices Monitor network traffic, outbound port scans, and unreasonable bandwidth usage.
It is advised to carry out timely patching of internet-connected devices to avoid becoming a victim of Zerobot

Additional measures for securing IOT devices:

Restrict Web Management Interface access of IoT devices to authorized users only and change default username/passwords

Always change Default login credentials before deployment in production.

Change default credentials at device startup and ensure that passwords meet the minimum complexity.

Disable Universal Plug and Play (UPnP) on IoT devices unless absolutely required

Users should be aware of the installed devices and their capabilities. If a device comes with a default password or an open Wi-Fi connection, users should change the password and only allow it to operate on a home network with a secured Wi-Fi router

Control access to the devices with Access List

Configure devices to "lock" or log out and require a user to re-authenticate if left unattended

Implement account lockout policies to reduce the risk of brute forcing attacks

Identify systems with default passwords and implement abovementioned measures. Some the systems that need to examined are Routers, switches, web applications and administrative web interfaces, ICS systems, Telnet and SSH interfaces

Telnet and SSH should be disabled on device if there is no requirement of remote management

Configure VPN and SSH to access device if remote access is required.

Configure certificate based authentication for telnet client for remote management of devices

Implement Egress and Ingress filtering at router level.

Report suspicious entries in Routers to your Internet Service Provider/CERT-In

Keep up to date Antivirus on the computer system.

Keep up-to-date on patches and fixes on the IoT devices, operating system and applications.

Unnecessary port and services should be stopped and closed.

Logging must be enabled on the device to log all the activities.

Enable and monitor perimeter device logs to detect scan attempts towards critical devices/systems.

References

https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities
https://thehackernews.com/2022/12/new-go-based-zerobot-botnet-exploiting.html
https://www.bleepingcomputer.com/news/security/new-zerobot-malware-has-21-exploits-for-big-ip-zyxel-d-link-devices/
https://cyware.com/news/new-zerobot-botnet-abuses-iot-vulnerabilities-57aca371/?web_view=true
https://www.csk.gov.in/alerts/Zerobot.html

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email:info@cert-in.org.in Phone: +91-11-24368572

Postal Address

Indian Computer Emergency Response Team (CERT-In) Ministry of Electronics and Information Technology Government of India Electronics Niketan 6, CGO Complex, Lodhi Road, New Delhi - 110 003 India

VIRUS ALERTS Zerobot)

VIRUS ALERTS

Zerobot)