Numerous routers are being attacked by brand-new, exceptionally sophisticated malware according to researchers.
Researchers revealed on Tuesday that a highly skilled hacker organization has spent nearly two years infecting a variety of routers in North America and Europe with malware that completely controls any linked Windows, macOS, or Linux-powered devices.
Black Lotus Labs researchers claim to have found at least 80 targets infected with the stealthy malware so far, including routers made by Cisco, Netgear, Asus, and DrayTek. The remote access Trojan, known as ZuoRAT, is a component of a larger hacking operation that has been ongoing since at least the fourth quarter of 2020.
Given its breadth of capabilities, the finding of specifically designed malware written for the MIPS architecture and compiled for small office and home office routers is notable. A highly sophisticated threat actor has the capacity to list all devices connected to an infected router, collect DNS lookups from those devices, and gather the network traffic those devices send and receive while remaining undiscovered.
While using compromised SOHO routers as an access vector to access a LAN next door is not a novel technique, Black Lotus Labs researchers noted that it has not been widely publicized. The use of these two techniques together showed a high level of sophistication by a threat actor, indicating that this campaign was possibly carried out by a state-sponsored organization. Similarly, reports of person-in-the-middle style attacks, such as DNS and HTTP hijacking, are even rarer and a mark of a complex and targeted operation.
Researchers from Black Lotus Labs also told, the use of these two techniques together showed a high level of sophistication by a threat actor, indicating that this campaign was possibly carried out by a state-sponsored organization. Similarly, reports of person-in-the-middle style attacks, such as DNS and HTTP hijacking, are even rarer and a mark of a complex and targeted operation.
ZuoRAT has two ways of spreading malware to connected devices:
- DNS hijacking, where a malicious IP address controlled by the attacker replaces the legitimate IP addresses corresponding to a domain like Google or Facebook
- HTTP hijacking, whereby the virus enters the connection and produces a 302 error, which reroutes the user to a different IP address.
The Black Lotus Labs researchers say the campaign’s command and control architecture is purposefully complicated in an effort to hide what is going on. Infected routers are controlled by one set of infrastructure, and any further infection of associated devices will use the other. Researchers noticed constant connections between routers from 23 different IP addresses and a control server located in Taiwan. To conceal the attacker’s infrastructure, another group of routers switched to a proxy server in Canada.
The revelation of this ongoing campaign is the most significant SOHO router attack since VPNFilter, the Russian government’s router malware that was identified in 2018. In the age of remote work, routers are frequently disregarded. While many firms have rigorous guidelines for what devices can connect, few enforce router patching or other security measures.
ZuoRAT is not reboot-resistant, like the majority of router malware. The initial ZuoRAT exploit, which consists of files kept in a temporary location, can be eliminated by simply restarting a compromised device. However, infected devices need to be factory reset in order to properly recover. Unfortunately, connected devices can’t be easily disinfected if they have been infected with the other malware.