ELF/Zerobot.A!tr

description-logoAnalysis

ELF/Zerobot.A!tr is a generic detection for a trojan. Since this is a generic detection, malware that are detected as ELF/Zerobot.A!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:

  • This malware is a Go-based botnet and is related to the Zerobot malware outbreak.

  • The malware will attempt to exploit several different vulnerabilities in IoT devices, such as firewalls and routers, and web applications to gain access to a victim's device. After a device is infected, the malware will continue to spread by way of a malicious script with the filename "zero".

  • The following architectures are targeted by the botnet:
    • i386
    • amd64
    • arm
    • arm64
    • mips
    • mips64
    • mips64le
    • mipsle
    • ppc64
    • ppc64le
    • riscv64
    • s390x

  • The malware has been associated with the following advisory.
  • https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities
    

  • This malware is not associated with ZeroBot chatbot (developed by zerobot.ai).

  • Following are some of the exact file hashes associated with this detection:
    • Md5: 41a45e7895f892171787d5e32bd199cd
      Sha256: 788e15fd87c45d38629e3e715b0cb93e55944f7c4d59da2e480ffadb6b981571
    • Md5: 62c11ea75e82611b6ba7d7bf08ed009f
      Sha256: 7722abfb3c8d498eb473188c43db8abb812a3b87d786c9e8099774a320eaed39
    • Md5: 83d647c9749e9a5a5f9c6ae01747a713
      Sha256: 7ae80111746efa1444c6e687ea5608f33ea0e95d75b3c5071e358c4cccc9a6fc
    • Md5: 8d85e3e0328cdd51c83fb68e31a28e62
      Sha256: df76ab8411ccca9f44d91301dc2f364217e4a5e4004597a261cf964a0cd09722
    • Md5: d9fc24ecd4cb9ca5b91a864ab5c3c653
      Sha256: f0bb312eacde86d533c922b87e47b8536e819d7569baaec82b9a407c68084280

description-logoOutbreak Alert

Zerobot is a Go-based botnet that spreads primarily through IoT and web application vulnerabilities. According to Fortinet research analysis the most recent distribution of Zerobot includes additional capabilities such a new DDoS attack capabilities and exploiting Apache vulnerabilities.

View the full Outbreak Alert Report

In the year 2022, FortiGuard IPS and FortiGuard AV/Sandbox blocked three trillion and six trillion hits respectively from vulnerabilities, malware and 0-day attacks. Those encompassed several thousand varieties of Remote Code Execution, Cross-Site Scripting, Elevation of Privilege, Denial of Service, Trojans, Exploits. FortiGuard Labs alerted customers with numerous critical threats throughout the year based on factors such as proof-of-concept, attack vectors, impact, ease of attack, dependencies, and more. This annual report covers:>

View the full Outbreak Alert Report

Multiple critical vulnerabilities affecting various Zyxel devices have been seen exploited in the wild. The attackers are observed deploying Mirai like botnet inducing denial of service conditions. One of the vulnerability, CVE-2023-28771 which allows unauthenticated attackers to execute OS commands remotely has a publicly available proof of concept (PoC).

View the full Outbreak Alert Report

recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
FortiClient
FortiAPS
FortiAPU
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2023-06-29 91.04636
2023-02-27 91.00982
2023-01-31 91.00154
2023-01-23 90.09917
2023-01-03 90.09317
2023-01-03 90.09315
2022-12-30 90.09192
2022-12-27 90.09112
2022-12-27 90.09110
2022-12-27 90.09103