Microsoft Defender for IoT researchers track Zerobot, a Go-based IoT botnet evolving with new exploits and DDoS capabilities, spreading via IoT and web-vulnerability abuse and deployed as a service. Zerobot 1.1 expands attack methods, adds CVE-based exploits, and persists across Linux and Windows while providing new IOCs and defender recommendations. #Zerobot #Storm1061
Keypoints
- Zerobot is a Go-based botnet that spreads via IoT and web application vulnerabilities and uses brute-force attempts with default or weak credentials on SSH/telnet to recruit devices.
- Version Zerobot 1.1 adds new exploits (CVE-2021-42013, CVE-2022-33891, among others) and new DDoS capabilities to broaden device reach.
- The malware employs multiple persistence techniques on Windows and Linux (Windows Startup folder; Linux desktop entry, daemon, and service) to survive reboots.
- Zerobot scans for additional vulnerable devices and includes a honeypot-detection function to avoid decoys while expanding its botnet.
- New capabilities include a wider set of DDoS methods (UDP_RAW, ICMP_FLOOD, TCP_CUSTOM, TCP_SYN, etc.) with customizable targets and ports.
- The malware can download a cross-platform remote administration tool via a script (impst.sh), indicating a command-and-control workflow and use of stealthy delivery.
- Defense guidance emphasizes cross-domain visibility, IoT security, least-privilege access, patching, and Windows/Microsoft Defender defenses, plus advanced hunting and TI mappings in Sentinel.
MITRE Techniques
- [T1110] Brute Force – Brute-force attempts on IoT devices using a mix of usernames and passwords over SSH and Telnet to spread to devices. Quote: “…a combination of eight common usernames and 130 passwords for IoT devices over SSH and telnet on ports 23 and 2323 to spread to devices.”
- [T1190] Exploit Public-Facing Application – Exploiting vulnerabilities in Apache and Apache Spark (CVE-2021-42013 and CVE-2022-33891 respectively) to gain access. Quote: “new vulnerabilities, such as: CVE-2021-42013 and CVE-2022-33891 respectively.”
- [T1547.001] Boot or Logon Autostart Execution: Startup Folder – Windows persistence by copying to Startup folder with FireWall.exe (older versions use my.exe). Quote: “On Windows machines, the malware copies itself to the Startup folder with the file name FireWall.exe (older versions use my.exe).”
- [T1543.003] Create or Modify System Process: Linux Service – Linux persistence via desktop entry, daemon, and service methods (e.g., Desktop entry at $HOME/.config/ssh.service/sshf and sshf.desktop; daemon at /usr/bin/sshf; service at /lib/system/system/sshf.service; enabling via systemctl/ service).
- [T1046] Network Service Scanning – After persistence, Zerobot scans for other internet-exposed devices to infect (including honeypot detection via new_botnet_selfRepo_isHoneypot). Quote: “scans for other internet-exposed devices to infect… new_botnet_selfRepo_isHoneypot … 61 IP subnets.”
- [T1105] Ingress Tool Transfer – Downloads a cross-platform RAT via a script (impst.sh) used to fetch the remote administration tool. Quote: “The script, which is used to download this RAT, is called impst.sh.”
- [T1499] Endpoint Denial of Service – New and expanded DDoS capabilities with customizable target ports and payloads. Quote: “new attack capabilities… DDoS attack capabilities… the destination port is customizable.”
Indicators of Compromise
- [Domain] Domains – zero.sudolite.ml, and related URI patterns (ws://176.65.137.5/handle, http://176.65.137.5:8000/ws) to connect to C2. – zero[.]sudolite[.]ml, ws[:]//176.65.137[.]5/handle, http[:]//176.65.137[.]5:8000/ws
- [IP Address] IPv4s – 176.65.137.5, 176.65.137.6 (plus port variations like 176.65.137.5:1401).
- [Hash] Zerobot SHA-256 – aed95a8f5822e9b1cd1239abbad29d3c202567afafcf00f85a65df4a365bedbb, bf582b5d470106521a8e7167a5732f7e3a4330d604de969eb8461cbbbbdd9b9a, and 2 more hashes
- [Hash] SparkRat SHA-256 – 0ce7bc2b72286f236c570b1eb1c1eacf01c383c23ad76fd8ca51b8bc123be340, cacb77006b0188d042ce95e0b4d46f88828694f3bf4396e61ae7c24c2381c9bf, and 1 more hashes