December 22, 2022

Editor’s note: the Zerobot malware described in this article is in no way associated with the company ZeroBot.ai, a firm which offers a voice chatbot powered by OpenAI’s technology. 

According to Microsoft security researchers who have been monitoring Zerobot for months, operators are constantly adding new exploits and capabilities to Zerobot, a Go-based botnet that spreads primarily through IoT and web application vulnerabilities.

The Zerobot botnet has recently been updated to target vulnerable Apache web servers. Since November 2022, Zerobot developers have been deploying new versions of malware capable of attacking other types of devices such as firewalls, routers, and cameras.

The malware infects a wide range of devices, including firewalls, routers, and cameras, and adds infected devices to a distributed denial of service (DDoS) botnet. It can also exploit Apache and Apache Spark vulnerabilities (CVE-2021-42013 and CVE-2022-33891, respectively), as well as new DDoS attack capabilities.

The Microsoft Defender for IoT research team shared details about the latest version of the malware, Zerobot 1.1, including newly discovered capabilities, in a blog post. According to the report, Zerobot can spread via brute force attacks on vulnerable devices with insecure configurations that use default or weak credentials.

To spread to devices, it may attempt to gain device access by using a combination of eight common usernames and 130 passwords for IoT devices over SSH and telnet on ports 23 and 2323. In addition to brute force attacks on devices, Zerobot exploits dozens of vulnerabilities that malware operators update on a regular basis in order to gain access and inject malicious payloads.

The sources for this piece include an article in BleepingComputer.