An unusually advanced The hacker group has spent nearly two years infecting a wide range of routers in North America and Europe with malicious software that takes full control of devices connected to Windows, macOS and Linux, researchers reported on June 28th.
So far, researchers at Lumen Technologies ’Black Lotus Labs say they have identified at least 80 targets infected by stealthy malware, including routers manufactured by Cisco, Netgear, Asus and DrayTek. Called ZuoRAT, the remote access Trojan is part of a broader piracy campaign that has existed since at least the fourth quarter of 2020 and continues to operate.
A high level of sophistication
The discovery of bespoke malware written for the MIPS architecture and compiled for small and home office routers is important, especially considering its range of capabilities. Its ability to list all devices connected to an infected router and collect DNS searches and network traffic that send and receive and are not detected is the hallmark of a highly sophisticated threat actor.
“While compromising SOHO routers as an access vector for accessing an adjacent LAN is not a new technique, it has rarely been reported,” Black Lotus Labs researchers wrote. “Similarly, reports of intermediate-style attacks, such as DNS and HTTP hijacking, are even rarer and are a mark of a complex and specific operation. The use of these two techniques goes congruently demonstrate a high level of sophistication on the part of a threatening actor, indicating that this campaign was possibly conducted by a state-sponsored organization. “
The campaign includes at least four pieces of malware, three of which were written from scratch by the threat actor. The first piece is the MIPS-based ZuoRAT, which closely resembles Mirai’s Internet of Things malware that achieved record-breaking distributed denial-of-service attacks that paralyzed some Internet services for days. ZuoRAT is often installed by exploiting patch-free vulnerabilities on SOHO devices.
Once installed, ZuoRAT lists the devices connected to the infected router. The threat actor can use DNS hijacking and HTTP hijacking to get connected devices to install other malware. Two of these pieces of malware (called CBeacon and GoBeacon) are custom-made, with the first written for Windows in C ++ and the second written in Go for cross-compilation on Linux and macOS devices. For flexibility, ZuoRAT can also infect devices connected to the widely used Cobalt Strike hacking tool.
ZuoRAT can pivot infections on connected devices using one of two methods:
- DNS hijacking, which replaces valid IP addresses for a domain such as Google or Facebook with a malicious one operated by the attacker.
- HTTP hijacking, in which malware is inserted into the connection to generate a 302 error that redirects the user to a different IP address.
Intentionally complex
Black Lotus Labs said the command and control infrastructure used in the campaign is intentionally complex to try to hide what is happening. One set of infrastructures is used to control infected routers and another is reserved for connected devices if they subsequently become infected.
The researchers observed routers with 23 IP addresses with a persistent connection to a control server that they believe were conducting an initial survey to determine if the targets were of interest. A subset of these 23 routers later interacted with a Taiwan-based proxy for three months. Another subset of routers turned to a Canadian-based proxy to overshadow the attacker’s infrastructure.