An unusually advanced hacking group has spent almost two years infecting a wide range of routers in North America and Europe with malware that takes full control of connected devices running Windows, macOS, and Linux, researchers reported on Tuesday.
So far, researchers from Lumen Technologies’ Black Lotus Labs say they’ve identified at least 80 targets infected by the stealthy malware, infecting routers made by Cisco, Netgear, Asus, and DayTek. Dubbed ZuoRAT, the remote access Trojan is part of a broader hacking campaign that has existed since at least the fourth quarter of 2020 and continues to operate.
A high level of sophistication
The discovery of custom-built malware written for the MIPS architecture and compiled for small office and home office routers is significant, particularly given its range of capabilities. Its ability to enumerate all devices connected to an infected router and collect the DNS lookups and network traffic they send and receive and remain undetected is the hallmark of a highly sophisticated threat actor.
“While compromising SOHO routers as an access vector to gain access to an adjacent LAN is not a novel technique, it has seldom been reported,” Black Lotus Labs researchers wrote. “Similarly, reports of person-in-the-middle style attacks, such as DNS and HTTP hijacking, are even rarer and a mark of a complex and targeted operation. The use of these two techniques congruently demonstrated a high level of sophistication by a threat actor, indicating that this campaign was possibly performed by a state-sponsored organization.”
The campaign comprises at least four pieces of malware, three of them written from scratch by the threat actor. The first piece is the MIPS-based ZuoRAT, which closely resembles the Mirai Internet of Things malware that achieved record-breaking distributed denial-of-service attacks that crippled some Internet services for days. ZuoRAT often gets installed by exploiting unpatched vulnerabilities in SOHO devices.
Once installed, ZuoRAT enumerates the devices connected to the infected router. The threat actor can then use DNS hijacking and HTTP hijacking to cause the connected devices to install other malware. Two of those malware pieces—dubbed CBeacon and GoBeacon—are custom-made, with the first written for Windows in C++ and the latter written in Go for cross-compiling on Linux and macOS devices. For flexibility, ZuoRAT can also infect connected devices with the widely used Cobalt Strike hacking tool.
ZuoRAT can pivot infections to connected devices using one of two methods:
- DNS hijacking, which replaces the valid IP addresses corresponding to a domain such as Google or Facebook with a malicious one operated by the attacker.
- HTTP hijacking, in which the malware inserts itself into the connection to generate a 302 error that redirects the user to a different IP address.
Black Lotus Labs said the command and control infrastructure used in the campaign is intentionally complex in an attempt to conceal what’s happening. One set of infrastructure is used to control infected routers, and another is reserved for the connected devices if they’re later infected.
The researchers observed routers from 23 IP addresses with a persistent connection to a control server that they believe was performing an initial survey to determine if the targets were of interest. A subset of those 23 routers later interacted with a Taiwan-based proxy server for three months. A further subset of routers rotated to a Canada-based proxy server to obfuscate the attacker’s infrastructure.
This graphic illustrates the steps listed involved.
The threat actors also disguised the landing page of a control server to look like this:
The researchers wrote:
Black Lotus Labs visibility indicates ZuoRAT and the correlated activity represent a highly targeted campaign against US and Western European organizations that blends in with typical internet traffic through obfuscated, multistage C2 infrastructure, likely aligned with multiple phases of the malware infection. The extent to which the actors take pains to hide the C2 infrastructure cannot be overstated. First, to avoid suspicion, they handed off the initial exploit from a dedicated virtual private server (VPS) that hosted benign content. Next, they leveraged routers as proxy C2s that hid in plain sight through router-to-router communication to further avoid detection. And finally, they rotated proxy routers periodically to avoid detection.
The discovery of this ongoing campaign is the most important one affecting SOHO routers since VPNFilter, the router malware created and deployed by the Russian government that was discovered in 2018. Routers are often overlooked, particularly in the work-from-home era. While organizations often have strict requirements for what devices are allowed to connect, few mandate patching or other safeguards for the devices’ routers.
Like most router malware, ZuoRAT can’t survive a reboot. Simply restarting an infected device will remove the initial ZuoRAT exploit, consisting of files stored in a temporary directory. To fully recover, however, infected devices should be factory reset. Unfortunately, in the event connected devices have been infected with the other malware, they can’t be disinfected so easily.