Abnormally raised The hacking group spent almost two years infecting a bunch of router in North America and Europe with malware take full control of connected devices running Windows, macOS, and Linux, researchers reported June 28.
To date, researchers from Lumen Technologies’ Black Lotus Labs say they have identified at least 80 targets infected with stealth malware, including routers from Cisco, Netgear, Asus and DrayTek. Dubbed ZuoRAT, the remote access Trojan is part of a larger-scale hacking campaign that has been around since at least Q4 2020 and is still active.
High level of sophistication
Detecting custom built malware written for the MIPS architecture and compiled for small office and home office routers is critical, especially based on the scope its ability. The ability to enumerate all devices connected to an infected router and collect DNS lookups and the network traffic they send and receive and remain undetected is indicative of a threat actor. very subtle threat.
Black Lotus Labs researchers said: “Although compromising SOHO routers as an access vector to gain access to an adjacent LAN is not a new technique, it is rare. when reported. Written. “Similarly, reports of man-in-the-middle attacks, such as DNS and HTTP hijacking, are even rarer and indicative of a complex and targeted activity. The use of these two techniques simultaneously demonstrates a high degree of sophistication by a single threat actor, suggesting that this operation could have been carried out by a state-sponsored organization.”
The campaign included at least four malware, three of which were written from scratch by the threat actor. The first part is ZuoRAT based on MIPS, akin to Mirai internet-of-things malware achieved record-breaking distributed denial of service attacks that cripple some Internet services day. ZuoRAT is often installed by exploiting unpatched vulnerabilities in SOHO devices.
Once installed, ZuoRAT lists the devices connected to the infected router. The threat agent can then use DNS hijacking and HTTP hijacking to cause connected devices to install other malware. Two of those malware — named CBeacon and GoBeacon — were custom-manufactured, with the first being written for Windows in C++ and the latter written in Go for cross-device compilation. Linux and macOS. For versatility, ZuoRAT can also infect connected devices using the widely used Cobalt Strike hacking tool.
ZuoRAT can route the infection to connected devices by one of two methods:
- Stealing DNS, replacing valid IP addresses corresponding to a domain like Google or Facebook with a malicious one operated by an attacker.
- HTTP Stealing, in which malware inserts itself into the connection to generate a 302 error that redirects the user to a different IP address.
Intentionally complicated
Black Lotus Labs said the command and control infrastructure used in the operation was intentionally complex to conceal what was happening. One set of infrastructure is used to control infected routers, and another set of infrastructure is reserved for connected devices if they are subsequently infected.
The researchers observed routers from 23 IP addresses that had a persistent connection to a control server they believed was conducting an initial survey to determine if the targets were of interest. are not. A subset of those 23 routers then interacted with a Taiwanese proxy server for three months. Another subset of routers was rotated to a proxy server based in Canada to obfuscate the attacker’s infrastructure.
