(Updated) Microsoft details newly identified capabilities of Zerobot malware

Operators are continuously adding new exploits and capabilities to Zerobot - a Go-based botnet that spreads primarily through IoT and web application vulnerabilities, according to Microsoft security researchers who have been monitoring the malware for months.

In a blog post, the Microsoft Defender for IoT research team has shared details on the latest version of the malware, Zerobot 1.1, including newly identified capabilities. Microsoft security researchers have also shared new indicators of compromise (IOCs) and recommendations to help defenders protect devices and networks against this threat.

The malware affects a variety of devices including firewall devices, routers, and cameras and adds compromised devices to a distributed denial of service (DDoS) botnet.

After tracking the malware for several months, Microsoft found that Zerobot's most recent distribution includes additional capabilities, such as exploiting vulnerabilities in Apache and Apache Spark (CVE-2021-42013 and CVE-2022-33891 respectively), and new DDoS attack capabilities.

Zerobot can propagate through brute force attacks on vulnerable devices with insecure configurations that use default or weak credentials. It may attempt to gain device access by using a combination of eight common usernames and 130 passwords for IoT devices over SSH and telnet on ports 23 and 2323 to spread to devices.

In addition, the malware exploits dozens of vulnerabilities, which operators add on a rolling basis to gain access and inject malicious payloads.

Zerobot 1.1, the latest version of the malware, has additional DDoS attack capabilities. These functions allow threat actors to target resources and make them inaccessible. Successful DDoS attacks may be used by threat actors to extort ransom payments, distract from other malicious activities, or disrupt operations, according to Microsoft.

Microsoft recommends using security solutions with cross-domain visibility and detection capabilities like Microsoft 365 Defender, adopting a comprehensive IoT security solution such as Microsoft Defender for IoT and more security measures to protect devices and networks against the threat. You can find the details in this blog post.

Note: As mentioned in the blog post, Zerobot is a botnet that spreads primarily via IoT and web application vulnerabilities. It is not associated with the chatbot ZeroBot.ai.