The Zerobot malware is now available with 21 exploits that can be used to attack Zyxel and BIG-IP devices

In mid-November, a new Go-based malware called Zerobot was discovered exploiting almost two dozen vulnerabilities on a range of devices, including F5 BIG-IP and Zyxel firewalls. It also uses Totolink routers and Hikvision cameras.

This malware’s purpose is to attach compromised devices to a distributed-denial-of service (DDoS), botnet in order to launch strong attacks on specified targets.

Zerobot scans the network to locate and automatically propagate adjacent devices. It can also run commands on Windows or Linux (CMD), as well as perform other tasks.

Fortinet security researchers discovered Zerobot in November. They claim that a new version of Zerobot has been released with more modules and exploits to fix a flaw. This indicates that Zerobot is still under development.

It is possible to exploit its potential.

This malware is capable of targeting a variety of systems architectures, devices and platforms, such as i386, AMD64 and ARM64.

Zerobot uses exploits to attack 21 vulnerabilities to gain entry to the device. It then downloads the script “zero” which will allow it to self-proliferate.

Fetching the zero script to enable propagation


Zerobot employs the following techniques to break into its targets

  • CVE-2014-04361: Miniigd SOAP Service in Realtek SDK
  • CVE-2017-17106: Zivif PR115-204-P-RS webcams
  • CVE-2017-17215: Huawei HG523 router
  • CVE-2018-1263: phpMyAdmin
  • CVE-2020-10987: Tenda AC15 AC1900 router
  • CVE-2020-2556: D-Link DNS-312 NAS
  • CVE-2021-35395: Realtek Jungle SDK
  • : Hikvision product
  • CVE-20244-66422: Telesquare SDTCW3B1 router
  • CVE-2022-01388: F5 BIG-IP
  • Spring MVC, Spring WebFlux and Spring4Shell
  • CVE-2022-2575: TOTOLink 3000RU router
  • CVE-2022-26186 TOTOLink N600R router
  • CVE-2022-2620: TOTOLink A830R router
  • – Zyxel USG Flex 100 (W) Firewall
  • CVE-2022-34538: MEGApix IP cameras
  • CVE-2022-37661: FLIX-AX8 thermal sensor camera cameras

The botnet also uses four exploits which haven’t been given an identifier. Two are targeted at D-Link routers and GPON terminals. The details of the two other are not known at this time.

Zerobot works

Zerobot establishes its presence on compromised devices and sets up a WebSocket connection with the Command and Control (C2) server. Zerobot also sends basic information about the victim.

One of these commands may be answered by the C2:

  • ping Maintaining the connection
  • attack – Launch attack on different protocols: TCP/UDP, TLS/HTTP, TLS/ICMP
  • stop – Stop attack
  • Update – Restart Zerobot and install the update
  • enable_scan – Scan open ports to spread yourself via exploit/SSH/Telnet cracker
  • disable_scan – Turn off scanning
  • Command – Use OS commands, cmd for Windows or bash on Linux to run the command.
  • kill – Kill botnet program

This malware uses an anti-kill module to stop it from terminating its processes.

Zerobot’s primary focus is on DDoS attacks. It could also be used for initial access.

since Zerobot appeared on November 18, its developer has made improvements to it, including string obfuscation and a copy-file module. There are also several other exploits.