New Zerobot Variant Exploits Additional Vulnerabilities for Propagation

Description

FortiGuard Labs is aware of a report that a new Zerobot variant is capable of propagating to other devices by exploiting known vulnerabilities. Zerobot was first reported in a blog released by Fortinet on December 06, 2022. Devices infected with Zerobot connect to Command-and-Control C2) server and can take part in DDoS attacks.


Why is this Significant?

This is significant because a new Zerobot variant was updated to exploit additional vulnerabilities for propagation. Since previous variants of Zerobot were recently found, Zerobot developer is currently putting constant effort to improve malware. Because of this - patches should be applied to vulnerable devices as soon as possible.


What is Zerobot?

Zerobot is a Go-based malware recently discovered by Fortinet that runs on Linux and Windows platforms. Zerobot contains several modules, including self-replication, attacks for different protocols, and self-propagation. It also communicates with its command-and-control server using the WebSocket protocol.


While Zerobot can spread to other devices by exploiting vulnerabilities and performing brute-force attacks, the malware is reportedly unable to propagate to Windows machines.


For more information on Zerobot, see the Appendix for a link to "Zerobot - New Go-Based Botnet Campaign Targets Multiple Vulnerabilities".


What Vulnerabilities does Zerobot Exploit?


The following vulnerabilities are exploited by Zerobot.

Additional vulnerabilities exploited by a new Zerobot variant:


Vulnerability

Affected Product

CVE-2017-17105

Zivif PR115-204-P-RS

CVE-2019-10655

Grandstream

CVE-2020-25223

WebAdmin of Sophos SG UTM

CVE-2021-42013

Apache

CVE-2022-31137

Roxy-WI

CVE-2022-33891

Apache Spark

ZSL-2022-5717

MiniDVBLinux


Vulnerabilities exploited by previously reported variant of Zerobot

Vulnerability

Affected Product

CVE-2014-8361

miniigd SOAP service in Realtek SDK

CVE-2017-17106

Zivif PR115-204-P-RS V2.3.4.2103 Webcams

CVE-2017-17215

Huawei HG532 Router

CVE-2018-12613

phpMyAdmin

CVE-2020-10987

Tenda AC15 AC1900 Router

CVE-2020-25506

D-Link DNS-320 NAS

CVE-2021-35395

Realtek Jungle SDK

CVE-2021-36260

Hikvision product

CVE-2021-46422

Telesquare SDT-CW3B1 Router

CVE-2022-01388

F5 BIG-IP

CVE-2022-22965

Spring MVC or Spring WebFlux application (Spring4Shell)

CVE-2022-25075

TOTOLink A3000RU Router

CVE-2022-26186

TOTOLINK N600R Router

CVE-2022-26210

Totolink A830R Router

CVE-2022-30525

Zyxel USG FLEX 100(W) Firewall

CVE-2022-34538

Digital Watchdog DW MEGApix IP camera

CVE-2022-37061

FLIR AX8 thermal sensor cameras


Other vulnerabilities that may be associated with Zerobot:

Vulnerability

Affected Product

CVE-2016-20017

D-Link DSL-2750B

CVE-2018-10561

Dasan GPON

CVE-2018-20057

D-Link DIR-605L/DIR-619L

CVE-2020-7209

HP LinuxKI

CVE-2022-30023

Tenda ONT GPON AC1200 Dual band WiFi HG9

ZERO-36290


What is the Status of Coverage?
FortiGuard Labs provides the following AV coverage for the samples called out in the report:

  • W32/ZeroBot.A!tr
  • W64/ZeroBot.A!tr
  • ELF/Zerobot.A!tr
  • BASH/ZeroBot.A!tr.dldr
  • W32/Agent.JL!tr
  • Linux/Agent.SE!tr
  • W32/Malicious_Behavior.VEX
  • Malicious_Behavior.SB
  • W32/PossibleThreat
  • PossibleThreat

FortiGuard Labs provides the following IPS signatures for the vulnerabilities exploited by Zerobot:

  • D-Link.Realtek.SDK.Miniigd.UPnP.SOAP.Command.Execution (CVE-2014-8361)
  • D-Link.DSL-2750B.CLI.OS.Command.Injection (CVE-2016-20017)
  • Zivif.PR115-204-P-RS.Web.Cameras.Remote.Command.Injection (CVE-2017-17105)
  • Zivif.PR115-204-P-RS.Web.Cameras.Credentials.Disclosure (CVE-2017-17106)
  • Huawei.HG532.Remote.Code.Execution (CVE-2017-17215)
  • Dasan.GPON.Remote.Code.Execution (CVE-2018-10561)
  • phpMyAdmin.Authenticated.db_sql.Directory.Traversal (CVE-2018-12613)
  • Grandstream.Devices.Invalid.Phonecookie.Command.Injection (CVE-2019-10655)
  • Tenda.AC15.AC1900.Authenticated.Remote.Command.Injection (CVE-2020-10987)
  • Sophos.SG.UTM.WebAdmin.PreAuth.Remote.Code.Execution (CVE-2020-25223)
  • D-Link.ShareCenter.Products.CGI.Code.Execution (CVE-2020-25506)
  • HP.LinuxKI.Kivis.PHP.Remote.Command.Injection (CVE-2020-7209)
  • Realtek.SDK.CVE-2021-35395.Buffer.Overflow (CVE-2021-35395)
  • Hikvision.Product.SDK.WebLanguage.Tag.Command.Injection (CVE-2021-36260)
  • Apache.HTTP.Server.cgi-bin.Path.Traversal (CVE-2021-42013)
  • Spring.Framework.SerializationUtils.Insecure.Deserialization (CVE-2022-22965)
  • Totolink.Router.Main.Function.Query_String.Command.Injection (CVE-2022-25075)
  • Totolink.Router.Cstecgi.Command.Injection (CVE-2022-26186)
  • Totolink.Router.Cstecgi.Command.Injection (CVE-2022-26210)
  • ZyXEL.Firewall.ZTP.Command.Injection (CVE-2022-30525)
  • Roxy-WI.options.API.Remote.Code.Injection (CVE-2022-31137)
  • Apache.Spark.getUnixGroups.Command.Injection (CVE-2022-33891)
  • Digital.Watchdog.MEGApix.IP.Camera.Addacph.Command.Injection (CVE-2022-34538)
  • FLIR.AX8.Thermal.Camera.Command.Injection (CVE-2022-37061)
  • Tenda.HG9.Router.Ping.Command.Injection (CVE-2022-30023)
  • Telesquare.SDT-CW3B1.Command.Injection (CVE-2021-46422)
All network IOCs are blocked by Webfiltering.