{"id":125390,"date":"2022-12-21T12:00:00","date_gmt":"2022-12-21T20:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=125390"},"modified":"2023-10-13T06:54:33","modified_gmt":"2023-10-13T13:54:33","slug":"microsoft-research-uncovers-new-zerobot-capabilities","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/12\/21\/microsoft-research-uncovers-new-zerobot-capabilities\/","title":{"rendered":"Microsoft research uncovers new Zerobot capabilities"},"content":{"rendered":"\n

Botnet malware operations are a constantly evolving threat to devices and networks. Threat actors target Internet of Things (IoT) devices for recruitment into malicious operations as IoT devices\u2019 configurations often leave them exposed, and the number of internet-connected devices continue to grow. Recent trends have shown that operators are redeploying malware for a variety of distributions and objectives, modifying existing botnets to scale operations and add as many devices as possible to their infrastructure.<\/p>\n\n\n\n

Zerobot, a Go-based botnet that spreads primarily through IoT and web application vulnerabilities, is an example of an evolving threat, with operators continuously adding new exploits and capabilities to the malware. The Microsoft Defender for IoT research team has been monitoring Zerobot (also called ZeroStresser by its operators) for months. Zerobot is offered as part of a malware as a service scheme and has been updated several times since Microsoft started to track it. One domain with links to Zerobot was among several domains associated with DDoS-for-hire services seized by the FBI<\/a> in December 2022.<\/p>\n\n\n\n

Microsoft has previously reported on the evolving threat ecosystem<\/a>. The shift toward malware as a service in the cyber economy has industrialized attacks and has made it easier for attackers to purchase and use malware, establish and maintain access to compromised networks, and utilize ready-made tools to perform their attacks. We have tracked advertisements for the Zerobot botnet on various social media networks in addition to other announcements regarding the sale and maintenance of the malware, as well as new capabilities in development.<\/p>\n\n\n\n

In this blog post, we present information about the latest version of the malware, Zerobot 1.1, including newly identified capabilities and further context to Fortinet\u2019s recent analysis<\/a> on the threat. Zerobot 1.1 increases its capabilities with the inclusion of new attack methods and new exploits for supported architectures, expanding the malware\u2019s reach to different types of devices. In addition to these findings, we\u2019re sharing new indicators of compromise (IOCs) and recommendations to help defenders protect devices and networks against this threat.<\/p>\n\n\n\n

What is Zerobot?<\/h2>\n\n\n\n

Zerobot affects a variety of devices that include firewall devices, routers, and cameras, adding compromised devices to a distributed denial of service (DDoS) botnet. Using several modules, the malware can infect vulnerable devices built on diverse architectures and operating systems, find additional devices to infect, achieve persistence, and attack a range of protocols. Microsoft tracks this activity as DEV-1061.<\/p>\n\n\n\n

\n\n

April 2023 update<\/strong> \u2013 Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. DEV-1061<\/strong> is now tracked as Storm-1061<\/strong>. <\/p>\n\n\n

To learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy<\/strong><\/a>.<\/p>\n\n<\/blockquote>\n\n\n\n

The most recent distribution of Zerobot includes additional capabilities, such as exploiting vulnerabilities in Apache and Apache Spark (CVE-2021-42013 and CVE-2022-33891 respectively), and new DDoS attack capabilities.<\/p>\n\n\n\n

How Zerobot gains and maintains device access<\/h2>\n\n\n\n

IoT devices are often internet-exposed, leaving unpatched and improperly secured devices vulnerable to exploitation by threat actors. Zerobot is capable of propagating through brute force attacks on vulnerable devices with insecure configurations that use default or weak credentials. The malware may attempt to gain device access by using a combination of eight common usernames and 130 passwords for IoT devices over SSH and telnet on ports 23 and 2323 to spread to devices. Microsoft researchers identified numerous SSH and telnet connection attempts on default ports 22 and 23, as well as attempts to open ports and connect to them by port-knocking on ports 80, 8080, 8888, and 2323.<\/p>\n\n\n\n

In addition to brute force attempts on devices, Zerobot exploits dozens of vulnerabilities, which malware operators add on a rolling basis to gain access and inject malicious payloads. Zerobot 1.1 includes several new vulnerabilities, such as:<\/p>\n\n\n\n

Vulnerability<\/strong><\/td>Affected software<\/strong><\/td><\/tr>
CVE-2017-17105<\/td>Zivif PR115-204-P-RS<\/td><\/tr>
CVE-2019-10655<\/td>Grandstream<\/td><\/tr>
CVE-2020-25223<\/td>WebAdmin of Sophos SG UTM<\/td><\/tr>
CVE-2021-42013<\/td>Apache<\/td><\/tr>
CVE-2022-31137<\/td>Roxy-WI<\/td><\/tr>
CVE-2022-33891<\/td>Apache Spark<\/td><\/tr>
ZSL-2022-5717<\/td>MiniDVBLinux<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Since the release of Zerobot 1.1, the malware operators have removed CVE-2018-12613, a phpMyAdmin vulnerability that could allow threat actors to view or execute files. Microsoft researchers have also identified that previous reports have used the vulnerability ID \u201cZERO-32906\u201d for CVE-2018-20057, \u201cGPON\u201d for CVE-2018-10561, and \u201cDLINK\u201d for CVE-2016-20017; and that CVE-2020-7209 was mislabeled as CVE-2017-17106 and CVE-2022-42013 was mislabeled as CVE-2021-42013.<\/p>\n\n\n\n

Microsoft researchers have also found new evidence that Zerobot propagates by compromising devices with known vulnerabilities that are not included in the malware binary, such as CVE-2022-30023, a command injection vulnerability in Tenda GPON AC1200 routers.<\/p>\n\n\n\n

Upon gaining device access, Zerobot injects a malicious payload, which may be a generic script called zero.sh <\/em>that downloads and attempts to execute Zerobot, or a script that downloads the Zerobot binary of a specific architecture. The bash script that attempts to download different Zerobot binaries tries to identify the architecture by brute-force, attempting to download and execute binaries of various architectures until it succeeds, as IoT devices are based on many computer processing units (CPUs). Microsoft has observed scripts targeting various architectures including ARM64, MIPS, and x86_64.<\/p>\n\n\n\n

Depending on the operating system of the device, the malware has different persistence mechanisms. Persistence tactics are used by malware operators to obtain and maintain access to devices. While Zerobot is unable to spread to Windows machines, we have found several samples that can run on Windows. On Windows machines, the malware copies itself to the Startup folder with the file name FireWall.exe<\/em> (older versions use my.exe)<\/em>. Microsoft Defender for Endpoint detects this malware and related malicious activity on both Windows and Linux devices. See detection details below.<\/p>\n\n\n\n

To achieve persistence on Linux-based devices, Zerobot uses a combination of desktop entry, daemon, and service methods:<\/p>\n\n\n\n

Desktop entry:<\/strong><\/p>\n\n\n\n

Zerobot copies itself to $HOME\/.config\/ssh.service\/sshf<\/em> then writes a desktop entry file called sshf.desktop<\/em> to the same directory. Older Linux versions use $HOME\/.config\/autostart<\/em> instead of $HOME\/.config\/ssh.service<\/em>.<\/p>\n\n\n\n

Daemon:<\/strong><\/p>\n\n\n\n

Copies itself to \/usr\/bin\/sshf<\/em> and writes a configuration at \/etc\/init\/sshf.conf<\/em>.<\/p>\n\n\n\n

Service:<\/strong><\/p>\n\n\n\n

Copies itself to \/etc\/sshf<\/em> and writes a service configuration at \/lib\/system\/system\/sshf.service<\/em>, then enables the service (to make sure it starts at boot) with two commands:<\/p>\n\n\n\n