It is highly recommended to make sure that all devices, including any network or IoT devices, that are exposed to the Internet are up-to-date on patching. The main infection vector of Zerobot is using one of the 21 exploits it supports to infect an Internet accessible device and propagating within the network from there. By making sure that all devices are properly patched, the attack surface that Zerobot can use to infect an environment is greatly reduced. It is also recommended to use strong authentication mechanisms for any devices that need to have SSH accessible from the Internet. This would include security controls such as exclusively using public key authentication or, if not possible, very strong passwords for all accounts that have SSH access configured. Zerobot also performs some behaviors during its infection process and initial access that would be considered suspicious. These suspicious behaviors include a process copying itself to the Windows “Startup” folder for persistence, network scanning activity from an abnormal system, and an abnormal process running suspicious built-in commands. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs.
https://www.bleepingcomputer.com/news/security/new-zerobot-malware-has-21-exploits-for-big-ip-zyxel-d-link-devices/
https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities
