
very advanced The hacker group spent nearly two years infecting various routers in North America and Europe with malware that took full control of connected devices running Windows, macOS and Linux, researchers reported on June 28.
So far, researchers from Lumen Technologies’ Black Lotus lab say they have identified at least 80 targets infected with stealth malware, including routers made by Cisco, Netgear, Asus and DrayTek. The remote access Trojan known as ZuoRAT is part of a wider hacking campaign that has been around and continues to operate since at least the fourth quarter of 2020.
high level of complexity
The discovery of custom malware written for the MIPS architecture and compiled for small office and home office routers is significant, especially given its functional scope. It is able to enumerate all devices connected to an infected router and collect the DNS lookups and network traffic they send and receive, and remains undetected, a hallmark of a highly sophisticated threat actor.
“While using SOHO routers as access vectors to access adjacent LANs is not a new technology, it is rarely reported,” the researchers at Black Lotus Labs wrote. “Similarly, regarding man-in-the-middle attacks (such as DNS and HTTP hijacking) Reports of ‘s are rarer and are a sign of a sophisticated and targeted operation. The use of both techniques consistently demonstrated a high level of sophistication as a threat actor, suggesting that the campaign may have been carried out by a state-sponsored group. “
The campaign included at least four pieces of malware, three of which were written from scratch by threat actors. The first is the MIPS-based ZuoRAT, which is very similar to the Mirai IoT malware, which achieved a record-breaking distributed denial of service attack that knocked some internet services down for days. ZuoRAT is typically installed by exploiting unpatched vulnerabilities in SOHO devices.
Once installed, ZuoRAT will enumerate devices connected to the infected router. Threat actors can then use DNS hijacking and HTTP hijacking to cause connected devices to install additional malware. Two of the malware — CBeacon and GoBeacon — are custom-built, the first written in C++ for Windows and the latter in Go for cross-compiling on Linux and macOS devices. For flexibility, ZuoRAT can also infect connected devices using the widely used Cobalt Strike hacking tool.
ZuoRAT can transfer infections to connected devices using one of two methods:
- DNS hijacking, which replaces a valid IP address corresponding to a domain like Google or Facebook with a malicious IP address operated by an attacker.
- HTTP hijacking, in which malware inserts itself into a connection to generate a 302 error, redirecting the user to a different IP address.
intentionally complicated
Black Lotus Labs said the command and control infrastructure used in the campaign was deliberately complicated to try to hide what was going on. One set of infrastructure is used to control infected routers, the other set is reserved for connected devices if they are later infected.
The researchers observed persistent connections from routers across 23 IP addresses to a control server, which they believe is performing an initial investigation to determine if the target is interested. Some of the 23 routers later interacted with proxy servers in Taiwan for three months. Another subset of routers spins to Canada-based proxy servers to confuse attackers’ infrastructure.