The Good
When programmers make mistakes that turn into news, it’s almost invariably because some threat actor or another has weaponized that coding error into a zero-day exploit, and the rest of us are urged to rush off and patch the affected software. Good news this week, then, to see that a cryptomining botnet has effectively been made redundant due to a developer mistake.
Researchers at Akamai had previously reported on their discovery of KmsdBot, a cryptomining botnet written in Go that they said had infected unnamed brands within the gaming industry, the technology industry, and luxury car manufacturing. KmsdBot was found to be propagating by brute forcing weak SSH credentials.
This week, the same researchers observed that the botnet had a fatal flaw: the malware crashed after receiving a malformed command, and since the botnet also had no persistence capabilities, crashing it effectively removed the botnet from the infected device.
The researchers say that the malformed command likely crashed all the botnet code running on infected machines and talking to the C2, essentially, killing the botnet. The developer had failed to write error handling code to handle typos in input received from the botnet operator.
No doubt that’s a bug the botnet developer will be rushing to fix, but they’ll also have to start over from scratch in terms of infecting devices, and that’s good news for those companies that had fallen prey to KmsdBot.
The Bad
Sticking with botnets, on the flip side the bad news this week is that a recently discovered botnet called Zerobot is doing the rounds with a hardcoded list of 21 known exploits in BIG-IP, Zyxel, D-Link and other devices.
Like Kmdsbot, Zerobot is written in Go, but the developers are clearly more technically proficient. The botnet targets any of the hardcoded exploits to gain initial access and then tries to reproduce itself and infect any Windows or Linux endpoints on the network that have the known vulnerabilities.
On Windows devices, it copies itself to the “Startup” folder using the filename “FireWall.exe”; on Linux, three file paths are targeted to drop the malware: %HOME%, /etc/init/, and /lib/systemd/system/. Zerobot also attempts to protect itself by intercepting any signal sent to terminate or kill the process.
The botnet tries to communicate with its C2 over 176[.]65[.]137[.]5. However, as the malware appears to be under active development, that is sure to change, as will the list of known CVES, which currently include:
| CVE ID | Affected Product |
| CVE-2014-08361 | minigd SOAP service in Realtek SDK |
| CVE-2017-17106 | Zivif PR115-204-P-RS V2.3.4.2103 Webcams |
| CVE-2017-17215 | Huawei HG532 Router |
| CVE-2018-12613 | phpMyAdmin |
| CVE-2020-10987 | Tend AC15 AC1900 Router |
| CVE-2020-25506 | D-Link DNS-320 NAS |
| CVE-2021-35395 | Realtek Jungle SDK |
| CVE-2021-36260 | Hikvision product |
| CVE-2021-46422 | Telesquare SDT-CW3B1 Router |
| CVE-2022-01388 | F5 BIG-IP |
| CVE-2022-22965 | Spring MVC or Spring WebFlux application (Spring4Shell) |
| CVE-2022-25075 | TOTOLink A3000RU Router |
| CVE-2022-26186 | TOTOLINK N600R Router |
| CVE-2022-26210 T | otolink A830R Router |
| CVE-2022-30525 | Zyxel USG FLEX 100(W) Firewall |
| CVE-2022-34538 | Digital Watchdog DW MEGApix IP cameras |
| CVE-2022-37061 | FLIR AX8 thermal sensor cameras |
Organizations or individuals running any of the affected devices are urged to contact the device manufacturers’ support services and apply patches as soon as possible.
The Ugly
Things have been turning ugly for a while now in state-sponsored cyber warfare, and this week it’s the use of wiper malware that’s grabbing the headlines as two separate reports show threat actors doing their best to infect and destroy data belonging to their adversaries.
Iranian-linked APT Agrius has been actively attacking targets in Hong Kong, Israel and South Africa with a new wiper named Fantasy, hidden inside software commonly used in the diamond industry. Known targets include a diamond wholesaler, a jeweler, an IT support services firm, and an HR consulting company. Fantasy targets Windows devices and overwrites the content of files with random data. It also overwrites the master boot record, deletes itself, and reboots the system.
Fantasy is a variant of the Apostle software first identified by SentinelLabs, a wiper that was later turned into a fully functional ransomware. Unlike ransomware though, wipers are not meant to leverage the victim and are only intended to disrupt the target’s ability to operate by destroying systems, services and data.
#ESETresearch identified a new wiper from #Agrius, a suspected Iranian 🇮🇷 threat actor that previously deployed the Apostle #ransomware and #wiper. 1/5 https://t.co/3YgyjZ2SQF
— ESET Research (@ESETresearch) December 7, 2022
Meanwhile, it’s also been reported this week that Russian courts and mayoral offices have been targeted with a wiper dubbed CryWiper. Researchers say that CryWiper pretends to be ransomware: it adds a .CRY extension to files and drops a ransom note with a bitcoin address and other details for payment. In reality, however, targeted files are not encrypted: they are overwritten with random data, making the originals unrecoverable.
Although these wipers are highly-targeted, malware used by APTs often finds itself in the hands of cybercriminals. Fortunately, the defence against wipers and ransomware, not to mention cryptomining botnets and other malware is the same: a trusted endpoint security solution designed with advanced threats in mind.
