Black Lotus warns of unusually sophisticated ZuoRAT malware targeting routers
Black Lotus warns of unusually sophisticated ZuoRAT malware targeting routers.
It was reported on Tuesday that an incredibly sophisticated hacking group spent nearly two years infecting various routers in North America and Europe with malware that took full control of the operation of Windows, macOS and Linux internet-connected devices.
Researchers at Black Lotus Labs, part of Lumen Technologies, said it has identified at least 80 targets infected with stealth malware, involving router models from brands including Cisco, Netgear, Asus, and GrayTek.
Figure 1 – Overview of ZuoRAT activities (source: Black Lotus Labs )
Security researchers point out that the man behind the ZuoRAT attack on routers may have a deep and sophisticated background.
As part of a broader hacking campaign, the remote access trojan has been active since at least the fourth quarter of 2020.
Seeing custom malware written specifically for the MIPS architecture, this discovery is a security wake-up call for countless small and home office (SOHO) router users.
Figure 2 – Default login page hosted on Command & Control server
Although rarely reported, by using routers to hide their intent, the malware can not only enumerate all devices connected to an infected router, but also collect DNS queries and network traffic it sends and receives.
Man-in-the-middle attacks involving both DNS and HTTP hijacking are also fairly rare, further suggesting that ZuoRAT has a fairly high level of sophisticated threat actors behind it.
Figure 3 – Illustration of Communication Springboard
Black Lotus picked up at least four suspects during this malware campaign, and three of them appeared to be crafted from scratch.
The first is the MIPS-based ZuoRAT, which is very similar to the Mirai IoT malware and has been implicated in record-breaking distributed denial-of-service (DDoS) attacks, but it is often deployed using unpatched SOHO device vulnerabilities.
Figure 4 – Global distribution of ZuoRAT malware
Once installed, ZuoRAT will enumerate devices connected to the infected router.
Threat actors can then use DNS/HTTP hijacking to direct networked devices to install other specially tailored malware — including CBeacon and GoBeacon.
The former uses the C++ programming language, mainly for the Windows platform. The latter is written in Go and is primarily aimed at Linux/macOS devices.
Figure 5 – The three-no-certificate included with the malware
ZuoRAT can also infect connected devices with the plethora of Cobalt Strike hacking tools, and the remote command and control infrastructure is dubiously complicated to conceal its true purpose.
Figure 6 – Screenshot of traffic generated by CBeacon in a lab environment
During this period, Black Lotus security researchers noticed that the routers and C&C servers from 23 IP addresses established persistent connections, which means that the attackers are performing preliminary investigations to determine whether the target has value for deep attack.
Figure 7 – Screenshot of network traffic from the Go proxy
Fortunately, like most router malware, ZuoRAT cannot survive device reboots (consisting of files stored in a temporary directory).
Additionally, the original ZuoRAT exploit can be removed simply by resetting the infected device.
Function calls for the eight pre-built functions included with CBeacon
Even so, we recommend that you check for firmware updates for long-term connected devices.
Otherwise, once infected with other malicious software, it is still difficult for terminal device users to completely eliminate it.
Figure 8 – Comparison of C2.Heartbeat running on CBeacon / GoBeacon
For more details on this malware campaign, please also head over to Black Lotus Labs’ GitHub home