New Zerobot Variant Exploits Additional Vulnerabilities for Propagation

Read Time:3 Minute, 44 Second

FortiGuard Labs is aware of a report that a new Zerobot variant is capable of propagating to other devices by exploiting known vulnerabilities. Zerobot was first reported in a blog released by Fortinet on December 06, 2022. Devices infected with Zerobot connect to Command-and-Control C2) server and can take part in DDoS attacks.Why is this Significant?This is significant because a new Zerobot variant was updated to exploit additional vulnerabilities for propagation. Since previous variants of Zerobot were recently found, Zerobot developer is currently putting constant effort to improve malware. Because of this – patches should be applied to vulnerable devices as soon as possible.What is Zerobot?Zerobot is a Go-based malware recently discovered by Fortinet that runs on Linux and Windows platforms. Zerobot contains several modules, including self-replication, attacks for different protocols, and self-propagation. It also communicates with its command-and-control server using the WebSocket protocol.While Zerobot can spread to other devices by exploiting vulnerabilities and performing brute-force attacks, the malware is reportedly unable to propagate to Windows machines. For more information on Zerobot, see the Appendix for a link to “Zerobot – New Go-Based Botnet Campaign Targets Multiple Vulnerabilities”.What Vulnerabilities does Zerobot Exploit?
The following vulnerabilities are exploited by Zerobot.
Additional vulnerabilities exploited by a new Zerobot
variant:

Vulnerability

Affected Product

CVE-2017-17105

Zivif
PR115-204-P-RS

CVE-2019-10655

Grandstream

CVE-2020-25223

WebAdmin of
Sophos SG UTM

CVE-2021-42013

Apache

CVE-2022-31137

Roxy-WI

CVE-2022-33891

Apache Spark

ZSL-2022-5717

MiniDVBLinux

Vulnerabilities exploited by previously reported variant of
Zerobot

Vulnerability

Affected Product

CVE-2014-8361

miniigd SOAP
service in Realtek SDK

CVE-2017-17106

Zivif
PR115-204-P-RS V2.3.4.2103 Webcams

CVE-2017-17215

Huawei HG532
Router

CVE-2018-12613

phpMyAdmin

CVE-2020-10987

Tenda AC15
AC1900 Router

CVE-2020-25506

D-Link
DNS-320 NAS

CVE-2021-35395

Realtek
Jungle SDK

CVE-2021-36260

Hikvision
product

CVE-2021-46422

Telesquare
SDT-CW3B1 Router

CVE-2022-01388

F5 BIG-IP

CVE-2022-22965

Spring MVC or
Spring WebFlux application (Spring4Shell)

CVE-2022-25075

TOTOLink
A3000RU Router

CVE-2022-26186

TOTOLINK
N600R Router

CVE-2022-26210

Totolink
A830R Router

CVE-2022-30525

Zyxel USG
FLEX 100(W) Firewall

CVE-2022-34538

Digital
Watchdog DW MEGApix IP camera

CVE-2022-37061

FLIR AX8
thermal sensor cameras

Other vulnerabilities that may be associated with Zerobot:

Vulnerability

Affected
Product

CVE-2016-20017

D-Link
DSL-2750B

CVE-2018-10561

Dasan GPON

CVE-2018-20057

D-Link
DIR-605L/DIR-619L

CVE-2020-7209

HP LinuxKI

CVE-2022-30023

Tenda ONT
GPON AC1200 Dual band WiFi HG9

ZERO-36290

What is the Status of Coverage?FortiGuard Labs provides the following AV coverage for the samples called out in the report:W32/ZeroBot.A!trW64/ZeroBot.A!trELF/Zerobot.A!trBASH/ZeroBot.A!tr.dldrW32/Agent.JL!trLinux/Agent.SE!trW32/Malicious_Behavior.VEXMalicious_Behavior.SBW32/PossibleThreatPossibleThreatFortiGuard Labs provides the following IPS signatures for the vulnerabilities exploited by Zerobot:D-Link.Realtek.SDK.Miniigd.UPnP.SOAP.Command.Execution (CVE-2014-8361)D-Link.DSL-2750B.CLI.OS.Command.Injection (CVE-2016-20017)Zivif.PR115-204-P-RS.Web.Cameras.Remote.Command.Injection (CVE-2017-17105)Zivif.PR115-204-P-RS.Web.Cameras.Credentials.Disclosure (CVE-2017-17106)Huawei.HG532.Remote.Code.Execution (CVE-2017-17215)Dasan.GPON.Remote.Code.Execution (CVE-2018-10561)phpMyAdmin.Authenticated.db_sql.Directory.Traversal (CVE-2018-12613)Grandstream.Devices.Invalid.Phonecookie.Command.Injection (CVE-2019-10655)Tenda.AC15.AC1900.Authenticated.Remote.Command.Injection (CVE-2020-10987)Sophos.SG.UTM.WebAdmin.PreAuth.Remote.Code.Execution (CVE-2020-25223)D-Link.ShareCenter.Products.CGI.Code.Execution (CVE-2020-25506)HP.LinuxKI.Kivis.PHP.Remote.Command.Injection (CVE-2020-7209)Realtek.SDK.CVE-2021-35395.Buffer.Overflow (CVE-2021-35395)Hikvision.Product.SDK.WebLanguage.Tag.Command.Injection (CVE-2021-36260)Apache.HTTP.Server.cgi-bin.Path.Traversal (CVE-2021-42013)Spring.Framework.SerializationUtils.Insecure.Deserialization (CVE-2022-22965)Totolink.Router.Main.Function.Query_String.Command.Injection (CVE-2022-25075)Totolink.Router.Cstecgi.Command.Injection (CVE-2022-26186)Totolink.Router.Cstecgi.Command.Injection (CVE-2022-26210)ZyXEL.Firewall.ZTP.Command.Injection (CVE-2022-30525)Roxy-WI.options.API.Remote.Code.Injection (CVE-2022-31137)Apache.Spark.getUnixGroups.Command.Injection (CVE-2022-33891)Digital.Watchdog.MEGApix.IP.Camera.Addacph.Command.Injection (CVE-2022-34538)FLIR.AX8.Thermal.Camera.Command.Injection (CVE-2022-37061)All network IOCs are blocked by Webfiltering.

Read More