Unusually advanced hacker group spent nearly two years infecting a wide range of routers in North America and Europe with malware that takes complete control of connected devices running Windows, macOS and Linux, researchers reported on June 28.
So far, researchers from Lumen Technologies’ Black Lotus Labs say they’ve identified at least 80 targets infected with stealthy malware, including routers from Cisco, Netgear, Asus and DrayTek. Dubbed ZuoRAT, the remote access trojan is part of a wider hacking campaign that has been around since at least the fourth quarter of 2020 and continues to operate.
High level of sophistication
The discovery of specially crafted malware written for the MIPS architecture and compiled for small office and home office routers is significant, especially given its range of capabilities. Its ability to enumerate all devices connected to an infected router and collect DNS lookups and network traffic they send and receive and remain undetected is the hallmark of a highly sophisticated threat actor.
“Although compromising a SOHO router as an access vector to gain access to an adjacent LAN is not a new technique, it has rarely been reported,” Black Lotus Labs researchers wrote. “Similarly, reports of man-in-the-middle attacks, such as DNS and HTTP hijacking, are even rarer and are a sign of a complex and targeted operation. The use of these two techniques congruently demonstrated a high level of sophistication by threat actors, indicating that this campaign was likely run by a state-sponsored organization.”
The campaign consists of at least four pieces of malware, three of which were originally written by the threat actor. The first part is the MIPS-based ZuoRAT, which closely resembles the Mirai Internet-of-Things malware that achieved record-breaking distributed denial-of-service attacks that crippled some Internet services for days. ZuoRAT is often installed by exploiting unpatched vulnerabilities on SOHO devices.
Once installed, ZuoRAT enumerates the devices connected to the infected router. A threat actor can then use DNS hijacking and HTTP hijacking to cause connected devices to install other malware. Two of those malicious programs – called CBeacon and GoBeacon – are custom-built, with the former written for Windows in C++ and the latter written in Go for cross-compiling on Linux and macOS devices. For flexibility, ZuoRAT can also infect connected devices with the widely used Cobalt Strike hacking tool.
ZuoRAT can transfer infections to connected devices using one of two methods:
- DNS hijacking, which replaces valid IP addresses corresponding to a domain such as Google or Facebook with a malicious one operated by an attacker.
- HTTP hijacking, where malware is injected into the connection to generate a 302 error that redirects the user to a different IP address.
Black Lotus Labs said the command and control infrastructure used in the campaign was deliberately complex in an attempt to conceal what was going on. One set of infrastructure is used to control infected routers, and the other is reserved for connected devices if they later become infected.
The researchers looked at routers with 23 IP addresses with a persistent connection to a control server they believed was conducting initial research to determine whether they were targets of interest. A subset of those 23 routers were interacting with a proxy server in Taiwan three months later. A further subset of routers rotated to a proxy server based in Canada to obfuscate the attacker’s infrastructure.