New Zerobot Malware Exploiting Apache Vulnerabilities to Launch DDoS Attack

As a result of the exploitation of security vulnerabilities found on unpatched Apache servers that are exposed to the Internet, the Zerobot botnet has been recently upgraded with the capability of infecting new devices.

Latest version also features new DDoS capabilities as observed by the Microsoft Defender for IoT research team. Since November at least, Zerobot has been under active development as part of its development process. 

Several new modules and features have been added to the new versions to increase the attack vectors available to the botnet, respectively. As a result, it is now easier for cybercriminals to infect new devices, such as:- 

  • Firewalls
  • Routers
  • Cameras

By exploiting the year-old exploits, the following devices were actively targeted by the malware modules that were removed by the developers in early December:-

EHA
  • phpMyAdmin servers
  • Dasan GPON home routers
  • D-Link DSL-2750B wireless routers

Zerobot Modules

In addition to the updates discovered by Microsoft, the malware’s toolkit also includes new exploits. This latest update enables it to now target seven new types of devices and software, which is a significant improvement. While this also includes the:-

  • Unpatched versions of Apache
  • Unpatched versions of Apache Spark

In addition to these new capabilities, the Zerobot 1.1 features a comprehensive list of new modules, including:-

  • CVE-2017-17105: Zivif PR115-204-P-RS
  • CVE-2019-10655: Grandstream
  • CVE-2020-25223: WebAdmin of Sophos SG UTM
  • CVE-2021-42013: Apache
  • CVE-2022-31137: Roxy-WI
  • CVE-2022-33891: Apache Spark
  • ZSL-2022-5717: MiniDVBLinux

Zerobot is also capable of exploiting known vulnerabilities to propagate through compromised devices. The most interesting thing about this malware is that the known security flaws that it exploits are not included in the binary of the malware.

New DDoS Capabilities

There are seven new DDoS capabilities available with the updated malware, including TCP_XMAS, which is a new DDoS attack method. Here below we have mentioned all the seven new DDoS capabilities:-

  • UDP_RAW: Sends UDP packets where the payload is customizable.
  • ICMP_FLOOD: Supposed to be an ICMP flood, but the packet is built incorrectly.
  • TCP_CUSTOM: Sends TCP packets where the payload and flags are fully customizable.
  • TCP_SYN: Sends SYN packets.
  • TCP_ACK: Sends ACK packets.
  • TCP_SYNACK: Sends SYN-ACK packets.
  • TCP_XMAS: Christmas tree attack (all TCP flags are set). The reset cause field is “xmas”.

As early as mid-November, this Go-based malware was spotted for the first time, and security analysts concluded that it was spreading quickly. Nearly two dozen exploits were utilized when it was released in order to infect different types of devices with it.

Flaws tied to Zerobot

The following vulnerabilities and exploits have been detected by Microsoft Defender, and are linked to Zerobot activity:-

  • CVE-2014-8361
  • CVE-2016-20017
  • CVE-2017-17105
  • CVE-2017-17215
  • CVE-2018-10561
  • CVE-2018-20057
  • CVE-2019-10655
  • CVE-2020-7209
  • CVE-2020-10987
  • CVE-2020-25506
  • CVE-2021-35395
  • CVE-2021-36260
  • CVE-2021-42013
  • CVE-2021-46422
  • CVE-2022-22965
  • CVE-2022-25075
  • CVE-2022-26186
  • CVE-2022-26210
  • CVE-2022-30023
  • CVE-2022-30525
  • CVE-2022-31137
  • CVE-2022-33891
  • CVE-2022-34538
  • CVE-2022-37061
  • ZERO-36290
  • ZSL-2022-5717

Recommendations

It is recommended by Microsoft that in order to protect your devices and networks from the Zerobot threat, you should take the following steps:-

  • Implement security solutions that are capable of detecting threats across domains and providing cross-domain visibility.
  • Take a proactive approach to IoT security by adopting a comprehensive security solution.
  • The configuration of devices should be secure to prevent unauthorized access.
  • It is important to keep your device up-to-date in order to maintain its health.
  • Make sure that you use the least privileged access whenever possible.
  • Make sure your endpoints are secure with a Windows security solution that provides a comprehensive approach.
  • Apps that can be used by your employees should be managed.
  • Executables that are no longer needed or stale should be cleaned up on a regular basis.

Indicators of compromise (IOCs):

Domains and IP addresses:

  • zero[.]sudolite[.]ml
  • 176.65.137[.]5
  • 176.65.137[.]5:1401
  • 176.65.137[.]6
  • ws[:]//176.65.137[.]5/handle
  • http[:]//176.65.137[.]5:8000/ws

New Zerobot hashes (SHA-256)

  • aed95a8f5822e9b1cd1239abbad29d3c202567afafcf00f85a65df4a365bedbb
  • bf582b5d470106521a8e7167a5732f7e3a4330d604de969eb8461cbbbbdd9b9a
  • 0a5eebf19ccfe92a2216c492d6929f9cac72ef37089390572d4e21d0932972c8
  • 1e7ca210ff7bedeefadb15a9ec5ea68ad9022d0c6f41c4e548ec2e5927026ba4
  • 05b7517cb05fe1124dd0fad4e85ddf0fe65766a4c6c9986806ae98a427544e9d
  • 5625d41f239e2827eb05bfafde267109549894f0523452f7a306b53b90e847f2
  • c304a9156a032fd451bff49d75b0e9334895604549ab6efaab046c5c6461c8b3
  • 66c76cfc64b7a5a06b6a26976c88e24e0518be3554b5ae9e3475c763b8121792
  • 539640a482aaee2fe743502dc59043f11aa8728ce0586c800193e30806b2d0e5
  • 0f0ba8cc3e46fff0eef68ab5f8d3010241e2eea7ee795e161f05d32a0bf13553
  • 343c9ca3787bf763a70ed892dfa139ba69141b61c561c128084b22c16829c5af
  • 874b0691378091a30d1b06f2e9756fc7326d289b03406023640c978ff7c87712
  • 29eface0054da4cd91c72a0b2d3cda61a02831b4c273e946d7e106254a6225a7
  • 4a4cb8516629c781d5557177d48172f4a7443ca1f826ea2e1aa6132e738e6db2
  • bdfd89bdf6bc2de5655c3fe5f6f4435ec4ad37262e3cc72d8cb5204e1273ccd6
  • 62f23fea8052085d153ac7b26dcf0a15fad0c27621f543cf910e37f8bf822e0e
  • 788e15fd87c45d38629e3e715b0cb93e55944f7c4d59da2e480ffadb6b981571
  • 26e68684f5b76d9016d4f02b8255ff52d1b344416ffc19a2f5c793ff1c2fdc65
  • e4840c5ac2c2c2170d00feadb5489c91c2943b2aa13bbec00dbcffc4ba8dcc2d
  • 45059f26e32da95f4bb5dababae969e7fceb462cdeadf7d141c39514636b905a
  • 77dd28a11e3e4260b9a9b60d58cb6aaaf2147da28015508afbaeda84c1acfe70
  • cf232e7d39094c9ba04b9713f48b443e9d136179add674d62f16371bf40cf8c8
  • 13657b64a2ac62f9d68aeb75737cca8f2ab9f21e4c38ce04542b177cb3a85521
  • eb33c98add35f6717a3afb0ab2f9c0ee30c6f4e0576046be9bf4fbf9c5369f71
  • e3dd20829a34caab7f1285b730e2bb0c84c90ac1027bd8e9090da2561a61ab17
  • 3685d000f6a884ca06f66a3e47340e18ff36c16b1badb80143f99f10b8a33768
  • cdc28e7682f9951cbe2e55dad8bc2015c1591f89310d8548c0b7a1c65dbefae3
  • 869f4fb3f185b2d1231d9378273271ddfeebb53085daede89989f9cc8d364f5f
  • 6c59af3ed1a616c238ee727f6ed59e962db70bc5a418b20b24909867eb00a9d6
  • ef28ee3301e97eefd2568a3cb4b0f737c5f31983710c75b70d960757f2def74e
  • 95e4cc13f8388c195a1220cd44d26fcb2e10b7b8bfc3d69efbc51beb46176ff1
  • 62f9eae8a87f64424df90c87dd34401fe7724c87a394d1ba842576835ab48afc
  • 54d1daf58ecd4d8314b791a79eda2258a69d7c69a5642b7f5e15f2210958bdce
  • 8176991f355db10b32b7562d1d4f7758a23c7e49ed83984b86930b94ccc46ab3
  • 8aa89a428391683163f0074a8477d554d6c54cab1725909c52c41db2942ac60f
  • fd65bd8ce671a352177742616b5facc77194cccec7555a2f90ff61bad4a7a0f6
  • 1e66ee40129deccdb6838c2f662ce33147ad36b1e942ea748504be14bb1ee0ef
  • 57f83ca864a2010d8d5376c68dc103405330971ade26ac920d6c6a12ea728d3d
  • 7bfd0054aeb8332de290c01f38b4b3c6f0826cf63eef99ddcd1a593f789929d6

SparkRat hashes (SHA-256):

  • 0ce7bc2b72286f236c570b1eb1c1eacf01c383c23ad76fd8ca51b8bc123be340
  • cacb77006b0188d042ce95e0b4d46f88828694f3bf4396e61ae7c24c2381c9bf
  • 65232e30bb8459961a6ab2e9af499795941c3d06fdd451bdb83206a00b1b2b88

Penetration Testing As a Service – Download Red Team & Blue Team Workspace

BALAJI is a Former Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.