An unusually sophisticated hacking group has spent nearly two years infecting a wide variety of routers in North America and Europe with malware that takes complete control of connected devices running Windows, macOS and Linux, researchers reported Tuesday.
So far, researchers at Lumen Technologies’ Black Lotus Labs say they have identified at least 80 targets infected by the stealthy malware, which infects routers made by Cisco, Netgear, Asus and DayTek. The remote access trojan, called ZuoRAT, is part of a broader hacking campaign that has been around since Q4 2020 and is still active.
A high level of sophistication
The discovery of custom malware written for the MIPS architecture and curated for small office and home office routers is significant, especially given the range of capabilities. The ability to enumerate all devices connected to an infected router and collect the DNS lookups and network traffic they send and receive and go undetected is the hallmark of a highly sophisticated threat actor.
“While compromising SOHO routers as an access vector to access an adjacent LAN is not a new technique, it has been rarely reported,” Black Lotus Labs researchers wrote. Likewise, reports of person-in-the-middle attacks, such as DNS and HTTP hijacks, are even rarer and a sign of a complex and targeted operation. Using these two techniques congruently demonstrated a high level of sophistication by a threat actor, indicating that this campaign may have been conducted by a state-sponsored organization.”
The campaign consists of at least four pieces of malware, three of which were written from scratch by the threat actor. The first component is the MIPS-based ZuoRAT, which is very similar to the Mirai Internet of Things malware that staged record-breaking distributed denial-of-service attacks that paralyzed some Internet services for days. ZuoRAT is often installed by exploiting unpatched vulnerabilities in SOHO devices.
Once installed, ZuoRAT lists the devices connected to the infected router. The threat actor can then use DNS hijacking and HTTP hijacking to make the connected devices install other malware. Two of those malware components, called CBeacon and GoBeacon, are custom-built, with the former written for Windows in C++ and the latter written in Go for cross-compilation on Linux and macOS devices. For flexibility, ZuoRAT can also infect connected devices with the widely used Cobalt Strike hacking tool.
ZuoRAT can run infections to connected devices in two ways:
- DNS hijacking, where the valid IP addresses corresponding to a domain such as Google or Facebook are replaced with a malicious address controlled by the attacker.
- HTTP hijacking, where the malware inserts itself into the connection to generate a 302 error that redirects the user to a different IP address.
intentionally complex
Black Lotus Labs said the command and control infrastructure used in the campaign is deliberately complex in an attempt to hide what is happening. One set of infrastructure is used to control infected routers and another is reserved for the connected devices if they are infected later.
The researchers observed routers from 23 IP addresses with a permanent connection to a control server that they said was conducting an initial investigation to determine whether the targets were of interest. A subset of those 23 routers later communicated with a Taiwan-based proxy server for three months. Another subset of routers has been rotated to a Canada-based proxy server to obscure the attacker’s infrastructure.
This image illustrates the listed steps.
The threat actors also disguised a monitoring server landing page to look like this:
The researchers wrote:
Black Lotus Labs visibility indicates that ZuoRAT and its correlated activity represent a highly targeted campaign against US and Western European organizations that coexists with typical Internet traffic through an obfuscated, multi-stage C2 infrastructure, likely aligned with multiple phases of the malware infection . The extent to which the actors are making an effort to hide the C2 infrastructure cannot be overstated. First, to avoid suspicion, they surrendered the first exploit of a special virtual private server (VPS) that hosted benign content. They then used routers as proxy C2s that were hidden in plain sight by router-to-router communications to further avoid detection. And finally, they rotated the proxy routers periodically to avoid detection.
The discovery of this ongoing campaign is the most important one to affect SOHO routers since VPNFilter, the router malware created and implemented by the Russian government and discovered in 2018. Routers are often overlooked, especially in the age of working from home. . While organizations often have strict requirements for which devices can connect, there are few mandatory patching or other safeguards for the devices’ routers.
Like most router malware, ZuoRAT cannot survive a reboot. Restarting an infected device removes the original ZuoRAT exploit, which consists of files stored in a temporary folder. However, in order to fully recover, infected devices must be factory reset. Unfortunately, if connected devices are infected with the other malware, they cannot be disinfected as easily.