In November, researchers observed a unique botnet written in Go spreading through IoT vulnerabilities, according to a new FortiGuard Labs study. Dubbed Zerobot, the botnet consists of several modules, including self-replication, attacks against different protocols, and self-propagation; it also communicates with its command-and-control servers using the WebSocket protocol. It primarily targets the Linux operating system to control vulnerable devices.

According to the introduction,Zerobot’sThe goal is to add infected devices to a Distributed Denial of Service (DDoS) botnet to launch a powerful attack on a designated target. Can scan the network and propagate itself to neighboring devices, as well as run commands on Windows (CMD) or Linux (Bash).

There are two versions of Zerobot, the first used before November 24 contains only basic functions, and theThe new version contains additional modules and exploits for new vulnerabilities. This behavior indicates that the malware is under active development.

Zerobot incorporates exploits of 21 vulnerabilities and uses them to gain access to devices; it then downloads scripts for further distribution. It is saved with the filename “zero,” which is where it got its name from.The scope of impact covers F5 BIG-IP, Zyxel firewalls, Totolink and D-Link routers, and Hikvision cameras, among others.In addition to some IoT vulnerabilities, Spring4Shell, phpAdmin, F5 Big, etc. are also included to increase its success rate.

It can target a range of system architectures and devices, including i386, AMD64, ARM, ARM64, MIPS, MIPS64, MIPS64le, MIPSle, PPC64, PPC64le, RISC64, and S390x.

Currently downloading scripts

List of exploits in Zerobot

Vulnerable devices for Zerobot attack

Additionally, the botnet used four exploits with unassigned identifiers. Two of them target GPON terminals and D-Link routers. Details about the other two are currently unknown.

After establishing a presence on an infected device, Zerobot sets up a WebSocket connection to a command and control (C2) server and sends some basic information about the victim. The C2 may respond to one of the following commands:“ping”, “attack”, “stop”, “update”, “kill”, “disable_scan”, “enable_scan'”, and “command”.

The malware also uses an “anti-kill” module designed to prevent termination or killing of its processes.Currently, Zerobot is mainly focused on launching DDoS attacks, but it can also be used as an initial access.

Fortinet concludes,Zerobot is a new type of botnet written in the Go programming language that communicates via the WebSocket protocol.Since its first appearance on November 18,Zerobot The developers have made improvements with string obfuscation, copy-file module, self-propagation module and several new exploits,making it harder to detect and giving it a higher ability to infect more devices.Users should be aware of this new threat and actively apply patches when they become available.