Image: Andres Urena/The Record

Microsoft: Zerobot adds new exploits, DDoS attack capabilities

The newly discovered Zerobot botnet continues to evolve, increasingly targeting connected devices. 

The latest version of the malware, Zerobot 1.1 (not associated with the chatbot, adds new exploits and distributed denial-of-service attack capabilities, expanding the malware's reach to different types of Internet of Things (IoT) devices, according to a report released by Microsoft on Wednesday. Zerobot was first discovered by researchers in November.

The malware spreads primarily through unpatched and improperly secured IoT devices, such as firewalls, routers, and cameras, according to Microsoft. Hackers constantly modify the botnet to scale and target as many of the devices as possible.

Microsoft has spotted seven new vulnerabilities abused by Zerobot, in addition to 21 exploits, such as Spring4Shell and F5 Big, discovered by Fortinet earlier this month.

The upgraded version of Zerobot exploits vulnerabilities in Apache web server software, the Apache Spark data processing engine, and communications equipment manufacturer Grandstream, among others.

The updated malware also has seven new DDoS capabilities. Successful DDoS attacks may be used by threat actors to extort ransom payments, distract from other malicious activities, or disrupt operations, according to Microsoft. 

Zerobot is written in the Go programming language and mostly affects Linux devices. Microsoft claims it found several malware samples that can run on Windows. On Windows machines, the malware copies itself to the Startup folder with the file name FireWall.exe.

Zerobot targets IoT devices with insecure configurations that use default or weak credentials. The malware may attempt to gain device access by using a combination of eight common usernames and 130 passwords. Upon gaining access to a device, Zerobot injects a malicious payload that downloads and attempts to execute a botnet. 

The malware has different persistence mechanisms for Linux and Windows. Hackers use persistence tactics to maintain access to devices and look for other internet-exposed devices to infect in the future. 

It is offered as part of a malware-as-a-service scheme when users are willing to pay to launch DDoS attacks. According to Microsoft, hackers who purchase Zerobot malware can modify the attack according to their target.

The malware-as-a-service “business model” has industrialized cyberattacks, making it easier for threat actors to purchase malware, and maintain access to compromised networks, Microsoft said.

Researchers have tracked advertisements for the Zerobot botnet on various social media networks. One domain with links to Zerobot was among 48 associated with DDoS-for-hire services seized by the FBI in December.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.