- 291/2022
- High
Zerobot is a Go-Based Malware that has been observed targeting devices like F5 Big-IP, Zyxel Firewalls, spring4Shell, and phpMyAdmin with almost two dozen vulnerability exploits. The Botnet’s objective is to add compromised devices to its pool to launch DDoS attacks and execute arbitrary commands.
The malware targets several system architecures including i386, AMD64, ARM, ARM64, MIPS, MIPS64, MIPS64le, MIPSle, PPC64, PPC64le, RISC64, and S390x.
1- Initialization:
• Once a system is exploited, Zerobot checks its connection to the internet by using Cloudflare’s DNS resolver server.
• Zerobot copies itself to the “Startup” folder for windows. However, Linux has three file paths “%HOME% “, “/etc/init/”, and “/lib/systemd/system/” based on the startup method.
• The malware prevents users from terminating the program’s process by intercepting any termination signals.
2- Functions:
• After establishing a connection to the compromised device, Zerobot connects to its C2 via WebSocket protocol.
• Zerobot C2s use the following commands to control the bots:
Command | Details |
ping | Heartbeat, maintaining the connection |
attack | Launch attack for different protocols: TCP, UDP, TLS, HTTP, ICMP |
stop | Stop attack |
update | Install update and restart Zerobot |
enable_scan | Scan for open ports and start spreading itself via exploit or SSH/Telnet cracker |
disable_scan | Disable scanning |
command | Running OS command, cmd on Windows and bash on Linux |
kill | Kill botnet program |
Indicators of Compromise
Indicators of compromise will be shared with EG-FinCIRT’s Constituents
Vulnerabilities
• CVE-2014-08361
• CVE-2022-01388
• CVE-2017-17106
• CVE-2017-17215
• CVE-2018-12613
• CVE-2020-10987
• CVE-2020-25506
• CVE-2021-35395
• CVE-2021-36260
• CVE-2021-46422
• CVE-2022-22965
• CVE-2022-25075
• CVE-2022-26186
• CVE-2022-26210
• CVE-2022-30525
• CVE-2022-34538
• CVE-2022-37061
Mitigations
• Search for existing signs of the indicated IOCs in your environment.
• Block IP-based IOCs at the organization’s security devices.
• Implement network segmentation such that all machines on your network are not accessible from every other machine.
• If remote access is required, use a VPN with vendor best practices, multi-factor authentication, password audits, precise access control, and actively monitoring remote accesses.
• Users logged into remote access services should have limited privileges for the rest of the corporate network.
• Administrators should adopt multi-factor authentication and use a separate administrative account from their normal operational account.
• Conduct cybersecurity awareness training for End- users.
• Ensure anti-virus software and associated files are up to date.
• Implement application whitelisting, which only allows systems to execute programs known and permitted by the organization’s security policy.
• Backup your data using different backup destinations, including Tape drives.
• Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs for any unusual activity.
• Install updates/patches operating systems, software, and firmware as soon as updates/patches are released.