Threat Research

Zerobot – New Go-Based Botnet Campaign Targets Multiple Vulnerabilities | FortiGuard Labs

Securonix

Zerobot is a Go-based IoT botnet observed by FortiGuard Labs that exploits multiple vulnerabilities to infect devices, self-replicate, and propagate using various protocols. It communicates with a WebSocket-based C2 and has evolved to include a selfRepo module and a suite of exploits to widen its infection surface. #Zerobot #GoLang #WebSocket #Spring4Shell #phpAdmin #F5Big #0dayToday #Cloudflare

Keypoints

  • Zerobot is a Go-based botnet targeting IoT devices via multiple vulnerabilities, observed by FortiGuard Labs.
  • The malware includes self-replication, multi-protocol attack capabilities, and self-propagation mechanisms, and it uses WebSocket for C2 communication.
  • Two versions exist; the newer one adds a selfRepo module to reproduce itself and infect more endpoints with different protocols or vulnerabilities.
  • Initialization checks connect to 1.1.1.1 (Cloudflare DNS) and the malware persists by copying itself to startup locations on Windows and Linux.
  • A dedicated AntiKill module attempts to prevent disruption by intercepting termination signals.
  • It relies on 21 exploits (including Spring4Shell, phpAdmin, F5 Big, etc.) sourced in part from 0day.today to maximize infection success.
  • The C2 server is at 176.65.137.5; Fortinet provides IPS signatures, web filtering, and IP reputation to block Zerobot traffic.

MITRE Techniques

  • [T1071.001] Web Protocols – “communicates with its command-and-control server using the WebSocket protocol.”
  • [T1547.001] Boot or Logon Autostart Execution – “copies itself to the Startup folder with the filename ‘FireWall.exe’.”
  • [T1562.001] Impair Defenses – “AntiKill module to prevent users from disrupting the Zerobot program.”
  • [T1105] Ingress Tool Transfer – “downloads a script for further propagation.”
  • [T1190] Exploit Public-Facing Application – “Zerobot includes 21 exploits.”
  • [T1021] Lateral Movement – “selfRepo module to reproduce itself and infect more endpoints…”
  • [T1016] System Network Configuration Discovery – “Zerobot first checks its connection to 1.1.1.1, the DNS resolver server from Cloudflare.”

Indicators of Compromise

  • [C2] Command and control server – 176.65.137.5
  • [Files] Payload/hashes – 7ae80111746efa1444c6e687ea5608f33ea0e95d75b3c5071e358c4cccc9a6fc, df76ab8411ccca9f44d91301dc2f364217e4a5e4004597a261cf964a0cd09722, and 2 more hashes

Read more: https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities