FortiGuard Labs is aware of a report that a new Zerobot variant is capable of propagating to other devices by exploiting known vulnerabilities. Zerobot was first reported in a blog released by Fortinet on December 06, 2022. Devices infected with Zerobot connect to Command-and-Control C2) server and can take part in DDoS attacks.Why is this Significant?This is significant because a new Zerobot variant was updated to exploit additional vulnerabilities for propagation. Since previous variants of Zerobot were recently found, Zerobot developer is currently putting constant effort to improve malware. Because of this – patches should be applied to vulnerable devices as soon as possible.What is Zerobot?Zerobot is a Go-based malware recently discovered by Fortinet that runs on Linux and Windows platforms. Zerobot contains several modules, including self-replication, attacks for different protocols, and self-propagation. It also communicates with its command-and-control server using the WebSocket protocol.While Zerobot can spread to other devices by exploiting vulnerabilities and performing brute-force attacks, the malware is reportedly unable to propagate to Windows machines. For more information on Zerobot, see the Appendix for a link to “Zerobot – New Go-Based Botnet Campaign Targets Multiple Vulnerabilities”.What Vulnerabilities does Zerobot Exploit?
The following vulnerabilities are exploited by Zerobot.
Additional vulnerabilities exploited by a new Zerobot
variant:
Vulnerability
Affected Product
CVE-2017-17105
Zivif
PR115-204-P-RS
CVE-2019-10655
Grandstream
CVE-2020-25223
WebAdmin of
Sophos SG UTM
CVE-2021-42013
Apache
CVE-2022-31137
Roxy-WI
CVE-2022-33891
Apache Spark
ZSL-2022-5717
MiniDVBLinux
Vulnerabilities exploited by previously reported variant of
Zerobot
Vulnerability
Affected Product
CVE-2014-8361
miniigd SOAP
service in Realtek SDK
CVE-2017-17106
Zivif
PR115-204-P-RS V2.3.4.2103 Webcams
CVE-2017-17215
Huawei HG532
Router
CVE-2018-12613
phpMyAdmin
CVE-2020-10987
Tenda AC15
AC1900 Router
CVE-2020-25506
D-Link
DNS-320 NAS
CVE-2021-35395
Realtek
Jungle SDK
CVE-2021-36260
Hikvision
product
CVE-2021-46422
Telesquare
SDT-CW3B1 Router
CVE-2022-01388
F5 BIG-IP
CVE-2022-22965
Spring MVC or
Spring WebFlux application (Spring4Shell)
CVE-2022-25075
TOTOLink
A3000RU Router
CVE-2022-26186
TOTOLINK
N600R Router
CVE-2022-26210
Totolink
A830R Router
CVE-2022-30525
Zyxel USG
FLEX 100(W) Firewall
CVE-2022-34538
Digital
Watchdog DW MEGApix IP camera
CVE-2022-37061
FLIR AX8
thermal sensor cameras
Other vulnerabilities that may be associated with Zerobot:
Vulnerability
Affected
Product
CVE-2016-20017
D-Link
DSL-2750B
CVE-2018-10561
Dasan GPON
CVE-2018-20057
D-Link
DIR-605L/DIR-619L
CVE-2020-7209
HP LinuxKI
CVE-2022-30023
Tenda ONT
GPON AC1200 Dual band WiFi HG9
ZERO-36290
What is the Status of Coverage?FortiGuard Labs provides the following AV coverage for the samples called out in the report:W32/ZeroBot.A!trW64/ZeroBot.A!trELF/Zerobot.A!trBASH/ZeroBot.A!tr.dldrW32/Agent.JL!trLinux/Agent.SE!trW32/Malicious_Behavior.VEXMalicious_Behavior.SBW32/PossibleThreatPossibleThreatFortiGuard Labs provides the following IPS signatures for the vulnerabilities exploited by Zerobot:D-Link.Realtek.SDK.Miniigd.UPnP.SOAP.Command.Execution (CVE-2014-8361)D-Link.DSL-2750B.CLI.OS.Command.Injection (CVE-2016-20017)Zivif.PR115-204-P-RS.Web.Cameras.Remote.Command.Injection (CVE-2017-17105)Zivif.PR115-204-P-RS.Web.Cameras.Credentials.Disclosure (CVE-2017-17106)Huawei.HG532.Remote.Code.Execution (CVE-2017-17215)Dasan.GPON.Remote.Code.Execution (CVE-2018-10561)phpMyAdmin.Authenticated.db_sql.Directory.Traversal (CVE-2018-12613)Grandstream.Devices.Invalid.Phonecookie.Command.Injection (CVE-2019-10655)Tenda.AC15.AC1900.Authenticated.Remote.Command.Injection (CVE-2020-10987)Sophos.SG.UTM.WebAdmin.PreAuth.Remote.Code.Execution (CVE-2020-25223)D-Link.ShareCenter.Products.CGI.Code.Execution (CVE-2020-25506)HP.LinuxKI.Kivis.PHP.Remote.Command.Injection (CVE-2020-7209)Realtek.SDK.CVE-2021-35395.Buffer.Overflow (CVE-2021-35395)Hikvision.Product.SDK.WebLanguage.Tag.Command.Injection (CVE-2021-36260)Apache.HTTP.Server.cgi-bin.Path.Traversal (CVE-2021-42013)Spring.Framework.SerializationUtils.Insecure.Deserialization (CVE-2022-22965)Totolink.Router.Main.Function.Query_String.Command.Injection (CVE-2022-25075)Totolink.Router.Cstecgi.Command.Injection (CVE-2022-26186)Totolink.Router.Cstecgi.Command.Injection (CVE-2022-26210)ZyXEL.Firewall.ZTP.Command.Injection (CVE-2022-30525)Roxy-WI.options.API.Remote.Code.Injection (CVE-2022-31137)Apache.Spark.getUnixGroups.Command.Injection (CVE-2022-33891)Digital.Watchdog.MEGApix.IP.Camera.Addacph.Command.Injection (CVE-2022-34538)FLIR.AX8.Thermal.Camera.Command.Injection (CVE-2022-37061)All network IOCs are blocked by Webfiltering.