An unusually advanced The hacking group has spent nearly two years infecting a wide range of routers in North America and Europe with malware that takes full control of connected devices running Windows, macOS and Linux, researchers reported on June 28.
So far, researchers at Lumen Technologies’ Black Lotus Labs say they have identified at least 80 targets infected with the insidious malware, including routers made by Cisco, Netgear, Asus and DrayTek. Called ZuoRAT, the remote access Trojan is part of a broader hacking campaign that has been around since at least the fourth quarter of 2020 and continues to work.
A high level of sophistication
The discovery of custom-built malware written for the MIPS architecture and compiled for small office and home office routers is significant, especially given its range of capabilities. Its ability to enumerate all devices connected to an infected router and collect the DNS lookups and network traffic they send and receive and remain undetected is characteristic of a highly sophisticated threat player.
“While it is not a new technique to compromise SOHO routers as an access vector to access an adjacent LAN, it has rarely been reported,” Black Lotus Labs researchers wrote. Similarly, reports of person-in-the-middle attacks, such as DNS and HTTP hijacking, are even rarer and a sign of a complex and targeted operation. The use of these two techniques congruently demonstrated a high level of sophistication of a threat actor, indicating that this campaign may have been carried out by a state-sponsored organization. “
The campaign includes at least four pieces of malware, three of them written from scratch by the threat actor. The first piece is the MIPS-based ZuoRAT, which is very similar Mirai internet-of-things malware it achieved record-breaking distributed denial-of-service attacks to paralyzed some internet services for days. ZuoRAT is often installed by exploiting unrecovered vulnerabilities in SOHO devices.
Once installed, ZuoRAT lists the devices connected to the infected router. The threat actor can then use DNS hijacking and HTTP hijacking to get the connected devices to install other malware. Two of these pieces of malware – called CBeacon and GoBeacon – are custom-made, the first written for Windows in C ++ and the last written in Go for cross-compilation on Linux and macOS devices. For flexibility, ZuoRAT can also infect connected devices with the widely used Cobalt Strike hacking tool.
ZuoRAT can pivot infections to connected devices using one of two methods:
- DNS hijacking, which replaces the valid IP addresses corresponding to a domain like Google or Facebook, with a malicious one run by the attacker.
- HTTP hijacking, where the malware inserts itself into the connection to generate a 302 error that redirects the user to another IP address.
Deliberately complex
Black Lotus Labs said the command-and-control infrastructure used in the campaign is deliberately complex in an attempt to hide what is happening. One set of infrastructure is used to control infected routers, and another is reserved for the connected devices if they later become infected.
The researchers observed routers from 23 IP addresses with a persistent connection to a control server, which they believe conducted a preliminary investigation to determine if the targets were of interest. A subset of these 23 routers later interacted with a Taiwan-based proxy server for three months. An additional subgroup of routers rotated to a Canada-based proxy server to obscure the attacker’s infrastructure.