Botnet malware operations are a constantly evolving threat to devices and networks. Threat actors target Internet of Things (IoT) devices for recruitment into malicious operations as IoT devices’ configurations often leave them exposed, and the number of internet-connected devices continue to grow. Recent trends have shown that operators are redeploying malware for a variety of distributions and objectives, modifying existing botnets to scale operations and add as many devices as possible to their infrastructure.

Zerobot is a malware that recently emerged around 2016. It functions as a botnet by running Tor on the infected device and downloading malicious payloads to launch distributed denial of service attacks. The security intelligence team at Talos, Cisco Research’s threat research and response team, discovered Zerobot during “Operation Ghost Click” in December 2016.

It appears that it was used for various purposes and its capabilities have grown substantially over time. Talos observed Zerobot installing a variety of tools ranging from Monero cryptocurrency miners, Tor relay hacks and software such as nmap to security research tools like Metasploit.

Talos sees this as a critical capability for IoT botnet malware in the future: an ability to install any executable payload such as a cryptocurrency miner or other attackware on the victim’s device can be valuable for remote control operators who want to monetize their botnets.

‍

Source: Microsoft research uncovers new Zerobot capabilities - AlienVault - Open Threat Exchange