A new botnet is attacking organizations through various vulnerabilities in Internet of Things (IoT) devices from D-Link, Huawei, RealTek, TOTOLink, Zyxel, and more, posing a critical threat that allows attackers to take over vulnerable systems, researchers have found.

The botnet, dubbed Zerobot (and not to be confused with ZeroBot.ai, which is a legitimate chatbot), is written in the Go programming language, includes modules capable of self-replication and self-propagation, as well as attacks for different protocols, a researcher from Fortinet shared in a blog post published Dec. 6.

"Zerobot targets several vulnerabilities to gain access to a device and then downloads a script for further propagation," Fortinet Labs senior antivirus analyst Cara Lin wrote in the post.

So far, researchers have seen two versions of the botnet, one that they began tracking on Nov. 18 and a more sophisticated version that appeared soon after, on Nov. 24, that added a string of new capabilities.

The first version of Zerobot was quite basic, but attackers quickly updated it to include a "selfRepo" module that allows it to reproduce itself and infect more endpoints with different protocols or vulnerabilities, researchers said. The latest version — on which their analysis is based — also includes string obfuscation and a copy file module.

Attack Mode

Zerobot initiates an attack by first checking its connection to 1.1.1.1, the DNS resolver server from Cloudflare. It then copies itself onto the targeted device based on the victim's OS type, with different tactics depending on the platform, researchers said.

For Windows, Zerobot copies itself to the "Startup" folder with the filename "FireWall.exe." If the targeted platform is Linux, it has three file paths — "HOME%," "/etc/init/," and "/lib/systemd/system/."

Once it is copied onto the targeted device, Zerobot then sets up an "AntiKill" module to prevent users from disrupting its program once it's started. "This module monitors a particular hex value and uses 'signal.Notify' to intercept any signal sent to terminate or kill the process," Lin wrote.

After initialization, Zerobot starts a connection to its command-and-control (C2) server, ws[:]//176[.]65[.]137[.]5/handle, using the WebSocket protocol.

Once it sets up a communication channel, the client waits for a command from the server to unleash any of 21 exploits for various vulnerabilities found in IoT products, as well as some others — including the Java framework vulnerability Spring4Shell, phpAdmin, and F5 Big — "to increase its success rate," Lin wrote.

Enterprises: Take Immediate Action

Fortinet included a list of the numerous vulnerabilities that Zerobot exploits, which are found in assorted devices including routers, webcams, network attached storage, firewalls, and other products from a host of well-known manufacturers. 

Lin advised any organization using these devices to update to the latest versions or apply any available patches immediately. Indeed, with businesses losing up to $250 million a year on unwanted botnet attacks, according to a report published last year from Netacea, organizations would be wise to evaluate their environments to discover any device that might be vulnerable to Zerobot, she noted.

"Users should be aware of this new threat, patch any affected systems … running on their network, and actively apply patches as they become available," Lin wrote.