FortiGuard Labs Threat Research

Zerobot – New Go-Based Botnet Campaign Targets Multiple Vulnerabilities

By Cara Lin | December 06, 2022

In November, FortiGuard Labs observed a unique botnet written in the Go language being distributed through IoT vulnerabilities. This botnet, known as Zerobot, contains several modules, including self-replication, attacks for different protocols, and self-propagation. It also communicates with its command-and-control server using the WebSocket protocol. Based on some IPS signatures trigger count (shown in Figure 1), this campaign started its distribution of the current version sometime after mid-November.

Affected platforms: Linux
Impacted parties: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity level: Critical

This article details how this malware leverages vulnerabilities and examines its behavior once inside an infected device.

Figure 1: IPS Signature Activity
Figure 1: IPS Signature Activity
Figure 1: IPS Signature Activity

Infection

Zerobot targets several vulnerabilities to gain access to a device and then downloads a script for further propagation. The complete script is shown in Figures 2 and 3. Note that the downloading URL was changed from http[:]//zero[.]sudolite[.]ml/bins to http[:]//176[.]65.137[.]5/bins. This Zerobot variant targets the following architectures: i386, amd64, arm, arm64, mips, mips64, mips64le, mipsle, ppc64, ppc64le, riscv64, and s390x. It is saved using the filename “zero,” which is how the campaign name was derived.

Figure 2: The downloading script used before November 24, 2022
Figure 3: The current downloading script

Zerobot has two versions. The first one used before November 24 only contains basic functions. The current version has added a “selfRepo” module to reproduce itself and infect more endpoints with different protocols or vulnerabilities. The function list from the older version can be seen in Figure 4. However, the following technical analysis is based on the newer version.

Figure 4: Main functions in the Zerobot version before November 24

Technical Analysis - Initialization

Zerobot first checks its connection to 1.1.1.1, the DNS resolver server from Cloudflare.

Figure 5: Checking the network connection to 1.1.1.1:80

It then copies itself onto the targeted device based on the victim’s OS type. For Windows, it copies itself to the “Startup” folder with the filename “FireWall.exe”. Linux has three file paths: “%HOME% “, “/etc/init/”, and “/lib/systemd/system/”.

Figure 6: Code flow of copying itself

It then sets up an “AntiKill” module to prevent users from disrupting the Zerobot program. This module monitors a particular hex value and uses “signal.Notify” to intercept any signal sent to terminate or kill the process.

Figure 7: Partial code of AntiKill

Technical Analysis – Commands

After initialization, Zerobot starts a connection to its C2 server, ws[:]//176[.]65[.]137[.]5/handle, using the WebSocket protocal.

Figure 8: Connecting to the C2 server

The data sent from the victim is shown in Figure 9. Based on the WebSocket protocol, we can unmask it to get the JSON with the victim’s information:

{"Platform":"linux","GCC":"386","CPU":1,"Payload":"Direct","Version":1}

Figure 9: Traffic capture of the C2 connection

After the communication channel setup, the client waits for a command from the server, including “ping”, “attack”, “stop”, “update”, “kill”, “disable_scan”, “enable_scan‘, and “command”. Details about the exploit in “enable_scan” is in next section.

Command

Detail

ping

Heartbeat, maintaining the connection

attack

Launch attack for different protocols: TCP, UDP, TLS, HTTP, ICMP

stop

Stop attack

update

Install update and restart Zerobot

enable_scan

Scan for open ports and start spreading itself via exploit or SSH/Telnet cracker

disable_scan

Disable scanning

command

Running OS command, cmd on Windows and bash on Linux

kill

Kill botnet program

Figure 10: Receiving a command in zero.mips
Figure 11: Received command in zero.386

Technical Analysis – Exploit

Zerobot includes 21 exploits. The list is shown in Figure 12, and the affected products in Figure 13 are listed below. In addition to some IoT vulnerabilities, it includes Spring4Shell, phpAdmin, F5 Big, etc., to increase its success rate.

Figure 12: Exploit list in Zerobot
Figure 13:Chart listing the vulnerable devices targeted by Zerobot

The two exploits named “ZERO_xxxxx” at the top of Figure 12 were collected from the website “0day.today” (Figure 14). This site shares numerous exploits for “educational” purposes. The numbers “36290” and “32960” were assigned from this website.

Figure 14: 0day.today webpage for the “ZERO_36290” exploit

The payload data injected in the exploit is the same as the script file shown in Figure 3.

Figure 15: Payload data injected to exploit a vulnerability

Conclusion

Zerobot is a new botnet written in the Go programming language. It communicates via the WebSocket protocol. It first appeared on November 18 and is designed to target a variety of vulnerabilities. Within a very short time, it was updated with string obfuscation, a copy file module, and a propagation exploit module that make it harder to detect and gives it a higher capability to infect more devices. Users should be aware of this new threat, patch any affected systems listed in Figure 13 running on their network, and actively apply patches as they become available.

Fortinet Protections

This malware is detected and blocked by FortiGuard Antivirus as:

ELF/Zerobot.A!tr

The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR, and the Fortinet AntiVirus engine is a part of each of those solutions. Customers running current AntiVirus updates are protected.

Fortinet has released IPS signatures to proactively protect our customers from the threats contained in the exploit list.

The FortiGuard Web Filtering Service blocks the C2 server.

FortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.

IOCs

C2:

176[.]65[.]137[.]5

Files:

7ae80111746efa1444c6e687ea5608f33ea0e95d75b3c5071e358c4cccc9a6fc

df76ab8411ccca9f44d91301dc2f364217e4a5e4004597a261cf964a0cd09722

cd9bd2a6b3678b61f10bb6415fb37ea6b9934b9ec8bb15c39c543fd32e9be7bb

50d6c5351c6476ea53e3c0d850de47059db3827b9c4a6ab4d083dfffcbde3579

7722abfb3c8d498eb473188c43db8abb812a3b87d786c9e8099774a320eaed39

2955dc2aec431e5db18ce8e20f2de565c6c1fb4779e73d38224437ac6a48a564

191ce97483781a2ea6325f5ffe092a0e975d612b4e1394ead683577f7857592f

447f9ed6698f46d55d4671a30cf42303e0bd63fe8d09d14c730c5627f173174d

e0766dcad977a0d8d0e6f3f58254b98098d6a97766ddac30b97d11c1c341f005

6c284131a2f94659b254ac646050bc9a8104a15c8d5482877d615d874279b822

5af002f187ec661f5d274149975ddc43c9f20edd6af8e42b6626636549d2b203

74f8a26eb324e65d1b71df9d0ed7b7587e99d85713c9d17c74318966f0bead0a

9c16171d65935817afd6ba7ec85cd0931b4a1c3bafb2d96a897735ab8e80fd45

b1d67f1cff723eda506a0a52102b261769da4eaf0551b10926c7c79a658061fd

f0bb312eacde86d533c922b87e47b8536e819d7569baaec82b9a407c68084280

2460434dabafe5a5dde0cce26b67f0230dbcd0d0ab5fabad1a1dbc289dc6432f

2af33e1ff76a30eb83de18758380f113658d298690a436d817bd7e20df52df91

4483c4f07e651ce8218216dd5c655622ff323bf3cdfe405ffeb69eafa75efad5

7c085185f6754aef7824c201d8443300ff2b104521d82f9a8b8feb5d4c8d3191

6ac49092ee1bdd55ddbf57df829f20aac750597d85b5904bb7bafa5b51fbb44d

f9fc370955490bdf38fc63ca0540ce1ea6f7eca5123aa4eef730cb618da8551f

6dd71163b6ab81a35ce373875a688ad9b31e0d1c292f02e8b2bafa7b3d1e3731

d88e9248ff4c983aa9ae2e77cf79cb4efc833c947ec2d274983e45c41bbe47e1

96bbb269fd080fedd01679ea82156005a16724b3cde1eb650a804fa31f18524e

439b2e500e82c96d30e1ef8a7918e1f864e6d706d944aeddffe61b8bf81ef6d3

af48b072d0070fa09bca0868848b62df5228c34ef24d233d8eb75a1fde8ac23f

5824fc51fcfba1a6315fd21422559d63c56f0e2192937085d65f9a0ac770eb3a

c9ea4cda12c14c895e23988229831b8f04ccab315c1cbc76a9efae888be55a3b

e2c2a0cccefc4314c110f3c0b887e5008073e607c61e1adde5000efb8e630d50