An unusually sophisticated hacking group has spent nearly two years infecting a wide variety of routers in North America and Europe with malware that takes complete control of connected devices running Windows, macOS and Linux, researchers reported on June 28.
So far, researchers at Lumen Technologies’ Black Lotus Labs say they have identified at least 80 targets infected by the stealth malware, including routers from Cisco, Netgear, Asus and DrayTek. The remote access trojan, called ZuoRAT, is part of a broader hacking campaign that has been around since Q4 2020 and is still active.
A high level of sophistication
The discovery of custom malware written for the MIPS architecture and compiled for small office and home office routers is significant, especially given the range of capabilities. The ability to enumerate all devices connected to an infected router and collect the DNS lookups and network traffic they send and receive and go undetected is the hallmark of a highly sophisticated threat actor.
“While compromising SOHO routers as an access vector to access an adjacent LAN is not a new technique, it has been rarely reported,” Black Lotus Labs researchers wrote. Likewise, reports of person-in-the-middle attacks, such as DNS and HTTP hijacks, are even rarer and a sign of a complex and targeted operation. Using these two techniques congruently demonstrated a high level of sophistication by a threat actor, indicating that this campaign may have been conducted by a state-sponsored organization.”
The campaign consists of at least four pieces of malware, three of which were written from scratch by the threat actor. The first component is the MIPS-based ZuoRAT, which is very similar to the Mirai internet-of-things malware that staged record-breaking distributed denial-of-service attacks that paralyzed some internet services for days. ZuoRAT is often installed by exploiting unpatched vulnerabilities in SOHO devices.
Once installed, ZuoRAT lists the devices connected to the infected router. The threat actor can then use DNS hijacking and HTTP hijacking to make the connected devices install other malware. Two of those malware components, called CBeacon and GoBeacon, are custom-built, with the former written for Windows in C++ and the latter written in Go for cross-compiling on Linux and macOS devices. For flexibility, ZuoRAT can also infect connected devices with the widely used Cobalt Strike hacking tool.
ZuoRAT can run infections to connected devices in two ways:
DNS hijacking, where the valid IP addresses corresponding to a domain such as Google or Facebook are replaced with a malicious address controlled by the attacker. HTTP hijacking, where the malware inserts itself into the connection to generate a 302 error that redirects the user to different IP address.
Black Lotus Labs said the command-and-control infrastructure used in the campaign is deliberately complex in an attempt to hide what is happening. One set of infrastructure is used to control infected routers and another is reserved for the connected devices if they are infected later.
The researchers observed routers from 23 IP addresses with a permanent connection to a control server that they said was conducting an initial investigation to determine whether the targets were of interest. A subset of those 23 routers later communicated with a Taiwan-based proxy server for three months. Another subset of routers has been rotated to a Canada-based proxy server to obscure the attacker’s infrastructure.
This post A New Remarkably Advanced Malware Attacks Routers
was original published at “https://www.wired.com/story/zuorat-trojan-malware-hacking-routers/”