unusually advanced the hacker group spent almost two years infecting a wide range of routers in North America and Europe with malware which takes full control of connected devices running Windows, macOS and Linux, the researchers reported on June 28.
So far, researchers at Lumen Technologies’ Black Lotus Labs say they have identified at least 80 targets infected with hidden malware, including routers from Cisco, Netgear, Asus and DrayTek. The remote access Trojan, dubbed ZuoRAT, is part of a broader hacking campaign that has been around since at least the fourth quarter of 2020 and continues to operate.
Detection of specially crafted malware written for the MIPS architecture and compiled for small office and home office routers is significant, especially given its capabilities. Its ability to enumerate all devices connected to an infected router and collect DNS queries and the network traffic they send and receive and remain undetected is the hallmark of a very sophisticated attacker.
“While compromising SOHO routers as an access vector to gain access to a nearby LAN is not a new technique, it has rarely been reported,” Black Lotus Labs researchers. wrote. “Similarly, reports of man-in-the-middle attacks such as DNS and HTTP hijacking are even rarer and are a sign of a complex and targeted operation. The use of these two methods congruently demonstrated a high level of sophistication on the part of the threat actor, indicating that this campaign may have been run by a state-sponsored organization.”
The campaign includes at least four malicious programs, three of which were written by the attacker from scratch. The first part is the MIPS-based ZuoRAT, which is very similar to Mirai IoT malware what has been achieved record-breaking distributed denial-of-service attacks what crippled some internet services several days. ZuoRAT is often installed by exploiting unpatched vulnerabilities in SOHO devices.
Once installed, ZuoRAT lists the devices connected to the infected router. The threat actor can then use DNS interception and HTTP interception to force connected devices to install other malware. Two of these malware, dubbed CBeacon and GoBeacon, are built to order: the first is written for Windows in C++, and the second is written in Go for cross-compilation on Linux and macOS devices. For flexibility, ZuoRAT can also infect connected devices with the widely used Cobalt Strike hacking tool.
ZuoRAT can spread infection to connected devices in one of two ways:
- DNS hijacking that replaces valid IP addresses that match a domain such as Google or Facebook with a malicious one controlled by an attacker.
- An HTTP interception in which malware connects to a connection and generates a 302 error that redirects the user to a different IP address.
Black Lotus Labs stated that the command and control infrastructure used in the campaign is deliberately complicated in an attempt to hide what is happening. One infrastructure set is used to manage infected routers, while the other is reserved for connected devices should they become infected later.
The researchers monitored the routers from 23 IP addresses with a persistent connection to a command and control server, which they believed performed an initial poll to determine if the targets were of interest. Some of these 23 routers later interacted with a Taiwanese proxy server for three months. Another group of routers switched to a proxy server in Canada to hide the attacker’s infrastructure.
The researchers wrote:
The visibility of Black Lotus Labs indicates that ZuoRAT and related activities are a targeted campaign against US and Western European organizations that mixes with typical Internet traffic through a convoluted multi-stage C2 infrastructure, likely associated with multiple phases of malware infection. It is hard to overestimate the extent to which the actors try to hide the C2 infrastructure. First, to avoid suspicion, they transmitted the original exploit from a dedicated virtual private server (VPS) hosting secure content. They then used the routers as C2 proxies, hiding in plain sight during communication between the routers to further avoid detection. And finally, they changed proxy routers periodically to avoid detection.
The discovery of this ongoing campaign is the most important impact on SOHO routers since VPNFilterrouter malware created and deployed by the Russian government that was discovered in 2018. Routers are often overlooked, especially in the work-from-home era. While organizations often have strict requirements for which devices are allowed to connect, few require patching or other security measures for device routers.
Like most router malware, ZuoRAT does not survive reboots. A simple restart of the infected device will remove the original ZuoRAT exploit, which consists of files stored in the temporary directory. However, for full recovery, infected devices must be reset to factory settings. Unfortunately, if connected devices are infected with other malware, they cannot be cured so easily.
This story originally appeared on Ars Technique.
Credit: www.wired.com /