A New, Remarkably Sophisticated Malware Is Attacking Routers

Researchers reported on June 28 that an advanced hacking group has spent almost two years infecting a wide range of routers in North America and Europe and taking full control of connected devices.

According to researchers from Black Lotus Labs, they've identified at least 80 targets that have been compromised by the stealthy software. ZuoRAT is part of a larger hacking campaign that has existed since at least the fourth quarter of 2020.

There is a high level of politeness.

Given its range of capabilities, the discovery of custom-built malicious software written for the MIPS architecture is significant. The hallmark of a highly sophisticated threat actor is its ability to enumerate all devices connected to aninfecting router and collect the network traffic it sends and receives.

Black Lotus Labs researchers wrote that it is not a novel technique to compromise a SOHO routers to gain access to an adjacentLAN. Reports of person-in-the-middle style attacks are rare and mark of a complex and targeted operation. A high level of sophistication by a threat actor was demonstrated by the use of these two techniques.

There are at least four pieces of software in the campaign, three of which were written from scratch. The first piece is the ZuoRAT, which is similar to the Mirai internet-of-things malicious software that caused record-breaking distributed denial-of-service attacks. ZuoRAT uses unpatched vulnerabilities to install.

ZuoRAT enumerates the devices that are connected to the internet. The threat actor can cause the connected devices to install other malicious software. Two of the pieces are custom-made, the first for Windows and the second for Linux and macOS. ZuoRAT can be used to hack connected devices.

ZuoRAT can pivot infections using either method.

• DNS hijacking, which replaces the valid IP addresses corresponding to a domain such as Google or Facebook with a malicious one operated by the attacker.
• HTTP hijacking, in which the malware inserts itself into the connection to generate a 302 error that redirects the user to a different IP address.

It is a complex.

The command-and-control infrastructure used in the campaign is complex in order to hide what's happening. One set of infrastructure is used to control the routers, and the other is reserved for the connected devices if they are later affected by the disease.

The researchers observed a persistent connection to a control server that they believe was being used to conduct an initial survey on the targets. Some of the 23 routers interacted with a Taiwan-based proxy server. The attacker's infrastructure was obfuscated by a subset of the routers.