NOTE: In this blog, Zerobot refers to a botnet that spreads primarily through IoT and web application vulnerabilities. It is not associated with the chatbot ZeroBot.ai.
Botnet malware operations are a constantly evolving threat to devices and networks. Threat actors target Internet of Things (IoT) devices for recruitment into malicious operations as IoT devices’ configurations often leave them exposed, and the number of internet-connected devices continue to grow. Recent trends have shown that operators are redeploying malware for a variety of distributions and objectives, modifying existing botnets to scale operations and add as many devices as possible to their infrastructure.
Zerobot, a Go-based botnet that spreads primarily through IoT and web application vulnerabilities, is an example of an evolving threat, with operators continuously adding new exploits and capabilities to the malware. The Microsoft Defender for IoT research team has been monitoring Zerobot (also called ZeroStresser by its operators) for months. Zerobot is offered as part of a malware as a service scheme and has been updated several times since Microsoft started to track it. One domain with links to Zerobot was among several domains associated with DDoS-for-hire services seized by the FBI in December 2022.
Microsoft has previously reported on the evolving threat ecosystem. The shift toward malware as a service in the cyber economy has industrialized attacks and has made it easier for attackers to purchase and use malware, establish and maintain access to compromised networks, and utilize ready-made tools to perform their attacks. We have tracked advertisements for the Zerobot botnet on various social media networks in addition to other announcements regarding the sale and maintenance of the malware, as well as new capabilities in development.
In this blog post, we present information about the latest version of the malware, Zerobot 1.1, including newly identified capabilities and further context to Fortinet’s recent analysis on the threat. Zerobot 1.1 increases its capabilities with the inclusion of new attack methods and new exploits for supported architectures, expanding the malware’s reach to different types of devices. In addition to these findings, we’re sharing new indicators of compromise (IOCs) and recommendations to help defenders protect devices and networks against this threat.
What is Zerobot?
Zerobot affects a variety of devices that include firewall devices, routers, and cameras, adding compromised devices to a distributed denial of service (DDoS) botnet. Using several modules, the malware can infect vulnerable devices built on diverse architectures and operating systems, find additional devices to infect, achieve persistence, and attack a range of protocols. Microsoft tracks this activity as DEV-1061.
April 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. DEV-1061 is now tracked as Storm-1061.
To learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy.
The most recent distribution of Zerobot includes additional capabilities, such as exploiting vulnerabilities in Apache and Apache Spark (CVE-2021-42013 and CVE-2022-33891 respectively), and new DDoS attack capabilities.
How Zerobot gains and maintains device access
IoT devices are often internet-exposed, leaving unpatched and improperly secured devices vulnerable to exploitation by threat actors. Zerobot is capable of propagating through brute force attacks on vulnerable devices with insecure configurations that use default or weak credentials. The malware may attempt to gain device access by using a combination of eight common usernames and 130 passwords for IoT devices over SSH and telnet on ports 23 and 2323 to spread to devices. Microsoft researchers identified numerous SSH and telnet connection attempts on default ports 22 and 23, as well as attempts to open ports and connect to them by port-knocking on ports 80, 8080, 8888, and 2323.
In addition to brute force attempts on devices, Zerobot exploits dozens of vulnerabilities, which malware operators add on a rolling basis to gain access and inject malicious payloads. Zerobot 1.1 includes several new vulnerabilities, such as:
Vulnerability
Affected software
CVE-2017-17105
Zivif PR115-204-P-RS
CVE-2019-10655
Grandstream
CVE-2020-25223
WebAdmin of Sophos SG UTM
CVE-2021-42013
Apache
CVE-2022-31137
Roxy-WI
CVE-2022-33891
Apache Spark
ZSL-2022-5717
MiniDVBLinux
Since the release of Zerobot 1.1, the malware operators have removed CVE-2018-12613, a phpMyAdmin vulnerability that could allow threat actors to view or execute files. Microsoft researchers have also identified that previous reports have used the vulnerability ID “ZERO-32906” for CVE-2018-20057, “GPON” for CVE-2018-10561, and “DLINK” for CVE-2016-20017; and that CVE-2020-7209 was mislabeled as CVE-2017-17106 and CVE-2022-42013 was mislabeled as CVE-2021-42013.
Microsoft researchers have also found new evidence that Zerobot propagates by compromising devices with known vulnerabilities that are not included in the malware binary, such as CVE-2022-30023, a command injection vulnerability in Tenda GPON AC1200 routers.
Upon gaining device access, Zerobot injects a malicious payload, which may be a generic script called zero.sh that downloads and attempts to execute Zerobot, or a script that downloads the Zerobot binary of a specific architecture. The bash script that attempts to download different Zerobot binaries tries to identify the architecture by brute-force, attempting to download and execute binaries of various architectures until it succeeds, as IoT devices are based on many computer processing units (CPUs). Microsoft has observed scripts targeting various architectures including ARM64, MIPS, and x86_64.
Depending on the operating system of the device, the malware has different persistence mechanisms. Persistence tactics are used by malware operators to obtain and maintain access to devices. While Zerobot is unable to spread to Windows machines, we have found several samples that can run on Windows. On Windows machines, the malware copies itself to the Startup folder with the file name FireWall.exe (older versions use my.exe). Microsoft Defender for Endpoint detects this malware and related malicious activity on both Windows and Linux devices. See detection details below.
To achieve persistence on Linux-based devices, Zerobot uses a combination of desktop entry, daemon, and service methods:
Desktop entry:
Zerobot copies itself to $HOME/.config/ssh.service/sshf then writes a desktop entry file called sshf.desktop to the same directory. Older Linux versions use $HOME/.config/autostart instead of $HOME/.config/ssh.service.
Daemon:
Copies itself to /usr/bin/sshf and writes a configuration at /etc/init/sshf.conf.
Service:
Copies itself to /etc/sshf and writes a service configuration at /lib/system/system/sshf.service, then enables the service (to make sure it starts at boot) with two commands:
systemctl enable sshf
service enable sshf
All persistence mechanisms on older Linux versions use my.bin and my.bin.desktop instead of sshf and sshf.desktop.
New attack capabilities
In addition to the functions and attacks included in previous versions of the malware, Zerobot 1.1 has additional DDoS attack capabilities. These functions allow threat actors to target resources and make them inaccessible. Successful DDoS attacks may be used by threat actors to extort ransom payments, distract from other malicious activities, or disrupt operations. In almost every attack, the destination port is customizable, and threat actors who purchase the malware can modify the attack according to their target.
The following are the previously known Zerobot capabilities:
Attack method
Description
UDP_LEGIT
Sends UDP packets without data.
MC_PING
Meant for DDoS on Minecraft servers. Sends a handshake and status request.
TCP_HANDSHAKE
Floods with TCP handshakes.
TCP_SOCKET
Continuously sends random payloads on an open TCP socket. Payload length is customizable.
TLS_SOCKET
Continuously sends random payloads on an open TLS socket. Payload length is customizable.
HTTP_HANDLE
Sends HTTP GET requests using a Golang standard library.
HTTP_RAW
Formats and sends HTTP GET requests.
HTTP_BYPASS
Sends HTTP GET requests with spoofed headers.
HTTP_NULL
HTTP headers are each one random byte (not necessarily ascii).
Previously undisclosed and new capabilities are the following:
Attack method
Description
UDP_RAW
Sends UDP packets where the payload is customizable.
ICMP_FLOOD
Supposed to be an ICMP flood, but the packet is built incorrectly.
TCP_CUSTOM
Sends TCP packets where the payload and flags are fully customizable.
TCP_SYN
Sends SYN packets.
TCP_ACK
Sends ACK packets.
TCP_SYNACK
Sends SYN-ACK packets.
TCP_XMAS
Christmas tree attack (all TCP flags are set). The reset cause field is “xmas”.
How Zerobot spreads
After persistence is achieved, Zerobot scans for other internet-exposed devices to infect. The malware randomly generates a number between 0 and 255 and scans all IPs starting with this value. Using a function called new_botnet_selfRepo_isHoneypot, the malware tries to identify honeypot IP addresses, which are used by network decoys to attract cyberattacks and collect information on threats and attempts to access resources. This function includes 61 IP subnets, preventing scanning of these IPs.
Microsoft researchers also identified a sample that can run on Windows based on a cross-platform (Linux, Windows, macOS) open-source remote administration tool (RAT) with various features such as managing processes, file operations, screenshotting, and running commands. This tool was found by investigating the command-and-control (C2) IPs used by the malware. The script, which is used to download this RAT, is called impst.sh:
Defending devices and networks against Zerobot
The continuous evolution and rapid addition of new capabilities in the latest Zerobot version underscores the urgency of implementing comprehensive security measures. Microsoft recommends the following steps to protect devices and networks against the threat of Zerobot:
Use security solutions with cross-domain visibility and detection capabilities like Microsoft 365 Defender, which provides integrated defense across endpoints, identities, email, applications, and data. Microsoft Defender Antivirus and Microsoft Defender for Endpoint detect Zerobot malware variants and malicious behavior related to this threat.
Adopt a comprehensive IoT security solution such as Microsoft Defender for IoT to allow visibility and monitoring of all IoT and OT devices, threat detection and response, and integration with SIEM/SOAR and XDR platforms such as Microsoft Sentinel and Microsoft 365 Defender.
Ensure secure configurations for devices: Change the default password to a strong one, and block SSH from external access.
Maintain device health with updates: Make sure devices are up to date with the latest firmware and patches.
Use least privileges access: Use a secure virtual private network (VPN) service for remote access and restrict remote access to the device.
Harden endpoints with a comprehensive Windows security solution:
Manage the apps your employees can use through Windows Defender Application Control and for unmanaged solutions, enabling Smart App Control.
Perform timely cleanup of all unused and stale executables sitting on yours or your organizations’ devices.
Detections
Microsoft Defender for IoT
Microsoft Defender for IoT uses detection rules and signatures to identify malicious behavior. Microsoft Defender for IoT has alerts for the following vulnerabilities and exploits which may be tied to Zerobot activity:
CVE-2014-8361
CVE-2016-20017
CVE-2017-17105
CVE-2017-17215
CVE-2018-10561
CVE-2018-20057
CVE-2019-10655
CVE-2020-7209
CVE-2020-10987
CVE-2020-25506
CVE-2021-35395
CVE-2021-36260
CVE-2021-42013
CVE-2021-46422
CVE-2022-22965
CVE-2022-25075
CVE-2022-26186
CVE-2022-26210
CVE-2022-30023
CVE-2022-30525
CVE-2022-31137
CVE-2022-33891
CVE-2022-34538
CVE-2022-37061
ZERO-36290
ZSL-2022-5717
Microsoft Defender Antivirus
Microsoft Defender Antivirus detects the malicious files under the following platforms and threat names:
Zerobot (Win32/64 and Linux)
SparkRat (Win32/64 and Linux)
Microsoft Defender for Endpoint
Microsoft Defender for Endpoint alerts with the following titles can indicate threat activity on your network:
DEV-1061 threat activity group detected
An active ‘PrivateLoader’ malware process was detected while executing
‘Morila’ malware was prevented
‘Multiverze’ malware was detected
Microsoft Defender for Endpoint also has detections for the following vulnerabilities exploited by Zerobot:
CVE-2022-22965 (Spring4Shell)
Microsoft Defender for Endpoint’s Device Discovery capabilities discover and classify devices. With these capabilities, Microsoft 365 Defender customers using Microsoft Defender for IoT have visibility into security recommendations for devices with the following vulnerabilities:
CVE-2014-8361
CVE-2019-10655
CVE-2020-25506
CVE-2021-36260
CVE-2021-42013
CVE-2022-30525
CVE-2022-31137
CVE-2022-37061
Devices with these vulnerabilities are also visible in the Microsoft Defender Vulnerability Management inventory.
Microsoft Defender for Cloud
Microsoft Defender for Cloud alerts with the following titles can indicate threat activity on your network:
VM_ReverseShell
VM_SuspectDownloadArtifacts
SQL.VM_ShellExternalSourceAnomaly
AppServices_CurlToDisk
Advanced hunting queries
Microsoft 365 Defender
Microsoft 365 Defender customers can run the following query to find related activity in their networks.
Zerobot files
This query finds the file hashes associated with Zerobot activity.
let IoCList = externaldata(TimeGenerated:datetime,IoC:string,IoC_Type:string,ExpirationDateTime:datetime,Description:string, Action:string, ConfidenceScore:real, ThreatType:string, Active:string,Type:string, TrafficLightProtocolLevel:string,
ActivityGroupNames:string)[@"https://raw.githubusercontent.com/microsoft/mstic/master/RapidReleaseTI/Indicators.csv"]
with(format="csv", ignoreFirstRecord=True);
let shahashes = IoCList
| where IoC_Type =~ "sha256" and Description =~ "Dev-1061 Zerobot affecting IoT devices"
| distinct IoC;
DeviceFileEvents
| where SHA256 in (shahashes)
Zerobot HTTP requests
This query finds suspicious HTTP requests originated by the IOCs associated with Zerobot activity.
This query finds incoming connections from IOCs associated with Zerobot activity.
DeviceNetworkEvents
| where RemoteIP in("176.65.137.5","176.65.137.6")
| where ActionType == "InboundConnectionAccepted"
| where Timestamp > ago(30d)
|project Timestamp, DeviceId, DeviceName, RemoteIP, RemotePort, LocalIP, LocalPort, InitiatingProcessFileName
Microsoft Sentinel
Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy
Rotem Sde-Or, Ilana Sivan, Gil Regev, Microsoft Defender for IoT Research Team Meitar Pinto, Nimrod Roimy, Nir Avnery, Microsoft Defender Research Team Ramin Nafisi, Ross Bevington, Microsoft Threat Intelligence Center (MSTIC)
At CYBERWARCON 2024, Microsoft Threat Intelligence analysts will share research and insights on North Korean and Chinese threat actors representing years of threat actor tracking, infrastructure monitoring and disruption, and their attack tooling.
Since August 2023, Microsoft has observed intrusion activity targeting and successfully stealing credentials from multiple Microsoft customers that is enabled by highly evasive password spray attacks. Microsoft has linked the source of these password spray attacks to a network of compromised devices we track as CovertNetwork-1658, also known as xlogin and Quad7 (7777). Microsoft is […]
Microsoft has observed the threat actor tracked as Storm-0501 launching a multi-staged attack where they compromised hybrid cloud environments and performed lateral movement from on-premises to cloud environment, leading to data exfiltration, credential theft, tampering, persistent backdoor access, and ransomware deployment. The said attack targeted multiple sectors in the United States, including government, manufacturing, transportation, […]
Microsoft Security researchers have observed a vulnerability used by various ransomware operators to get full administrative access to domain-joined ESXi hypervisors and encrypt the virtual machines running on them. The vulnerability involves creating a group called “ESX Admins” in Active Directory and adding an attacker-controlled user account to this group. This manipulation of the Active Directory group takes advantage of a privilege escalation vulnerability (CVE-2024-37085) in ESXi hypervisors that grants the added user full administrative access to the ESXi hypervisor. The vulnerability was fixed by VMware in their June release and ESXi administrators should install this security update.