The threat landscape was introduced to a new botnet, dubbed Zerobot, that has been spreading via IoT vulnerabilities. This unique botnet is written in Golang and comes with multiple features that we will peruse in this article.
Diving into details
Zerobot targets multiple bugs in IoT devices to gain access and subsequently, download a script for further dissemination.
While the first version of Zerodol, used before November 24, had only basic capabilities, the latest one is capable of self-replication and compromising more endpoints using 21 exploits via the self-propagation module.
The exploits include flaws in Zyxel firewalls, TOTOLINK routers, F5 BIG-IP, Spring Framework, D-Link DNS-320 NAS, Hikvision cameras, and FLIR AX8 thermal imaging cameras, among others.
The botnet can target i386, amd64, arm, mips64le, mipsle, arm64, mips, mips64, ppc64, ppc64le, riscv64, and s390x CPU architectures.
Once communication is established with the C2 server—via the WebSocket Protocol—further instructions enable Zerobot to run arbitrary commands and launch attacks for various network protocols, including TCP, TLS, UDP, ICMP, and HTTP.
Why this matters
Within a very short span of time, Zerobot was enhanced with a copy file module, string obfuscation, and a propagation exploit module that makes it challenging to be detected while infecting a greater number of IoT devices.
The researchers have asserted that the threat is critical since remote attackers can gain access to vulnerable systems and its AntiKill module prevents victims from disrupting the Zerobot program.
The bottom line
This new botnet written in Go has been created to target a wide range of vulnerabilities in IoT devices. With its unique capabilities and advanced stealth mode, it can infect a higher number of devices without being detected by most of the security protocols out there. Therefore, it is recommended that you patch any systems that require patching and start actively applying them as soon as they arrive.