This sophisticated malware extraordinarily developed. The hacking group spent nearly two years hacking a wide range of routers in North America and Europe with malware that takes complete control of connected devices running Windows, macOS and Linux, researchers reported on June 28.
So far, researchers at Lumen Technologies’ Black Lotus Labs have identified at least 80 targets infected with the stealthy malware, including routers made by Cisco, Netgear, Asus and DryTech. Dubbed ZuorAT, the remote access trojan is part of a wider hacking campaign that has existed and continues to operate since at least the fourth quarter of 2020.
Table of Contents
High level sophisticated malware is attacking routers
The discovery of custom-built malware written for the MIPS architecture and compiled for small-office and home-office routers is significant, especially given the range of its capabilities. A characteristic of the most sophisticated threat actor is to enumerate all devices connected to an infected router and collect the DNS lookups and network traffic they send and receive and remain undetected.
“Compromising SOHO routers as an access vector to gain access to an adjacent LAN is not a new technique, it is rarely reported,” Black Lotus Labs researchers said. wrote. “Similarly, reports of man-in-the-middle attacks such as DNS and HTTP hijacking are rare and are indicative of complex and targeted operations. A high level of sophistication has been demonstrated by the use of these two technologies. The threat actor suggests that this campaign was probably carried out by a state-sponsored organization.”
The campaign contained at least four pieces of malware, three of which were written from scratch by the threat actor. The first component is the MIPS-based ZuorAT, which it closely resembles Mirai is Internet-of-Things malware achieved Record-breaking distributed denial-of-service attacks that Some internet services have been disabled For days. ZuorAT is often installed on SOHO devices by exploiting unpatched vulnerabilities.
Once installed, ZuorAT enumerates the devices connected to the infected router. A threat actor can use DNS hijacking and HTTP hijacking to force connected devices to install other malware. The two pieces of malware have been customized, the first written in C++ for Windows and the second written in Go for cross-compiling on Linux and macOS devices. For convenience, ZuorAT also infects devices connected to the widely used Cobalt Strike hacking tool.
ZuorAT can pivot infections to connected devices using one of two methods:
- DNS hijacking, which replaces valid IP addresses belonging to a domain such as Google or Facebook with a malicious one operated by an attacker.
- HTTP hijacking, in which malware inserts itself into a connection to create a 302 error that redirects the user to a different IP address.
Black Lotus Labs claims that the command-and-control infrastructure used in the campaign was deliberately complex in an attempt to hide what was going on. One set of infrastructure is used to control infected routers and the other is reserved for connected devices.
The researchers observed routers with a continuous connection to the control server from 23 IP addresses, which they believed were conducting a preliminary survey to determine whether the targets were of interest. A subset of those 23 routers interacted with a Taiwan-based proxy server for three months. Another subset of routers were routed to a Canada-based proxy server to obscure the attacker’s infrastructure.