reported on Tuesday: , an extremely advanced hacker group, spent nearly two years infecting various routers in North America and Europe with malware, and then completely took control of the operation of Windows, macOS and Linux networked devices. Researchers at Lumen Technologies' Black Lotus Labs stated that they have identified at least 80 targets infected by stealth malware, involving router models from Cisco, Netgear, ASUS and GrayTek brands.
Figure 1 - Overview of ZuoRAT activities (from: Black Lotus Labs)
Security researchers pointed out that the operator behind the ZuoRAT attack on routers may have a deep and complex background. The remote access trojan has been active as part of a wider hacking campaign dating back to at least the fourth quarter of 2020.
sees custom malware written specifically for the MIPS architecture, a discovery that sets off security alarms for countless small and home office (SOHO) router users.
Figure 2 - Default login page hosted on a command and control server
Although rarely reported, to hide its intent through the router, the malware is not only able to enumerate all devices connected to the infected router, but also collect the DNS sent and received by them. Queries and network traffic.
Man-in-the-middle attacks involving both DNS and HTTP hijacking are also quite rare, further indicating the presence of a highly sophisticated threat actor behind ZuoRAT.
Figure 3 - Communication springboard indicates
Black Lotus uncovered at least four suspicious objects during this round of malware activity, and three of them were clearly crafted from scratch.
starts with the MIPS-based ZuoRAT, which is very similar to Mirai IoT malware and has been involved in record-breaking distributed denial-of-service (DDoS) attacks, but it is often deployed by exploiting vulnerabilities in SOHO devices that have not been patched in a timely manner.
Figure 4 - Global distribution of ZuoRAT malware
After installation, ZuoRAT enumerates devices connected to an infected router. Threat actors can then use DNS/HTTP hijacking to direct connected devices to install additional specially tailored malware - including CBeacon and GoBeacon.
The former uses the C++ programming language and is mainly targeted at Windows platforms. The latter is written in Go language and is mainly targeted at Linux/macOS devices.
Figure 5 - The three-no certificate
ZuoRAT attached to the malware can also use the widespread Cobalt Strike hacking tool to infect networked devices, and the remote command and control infrastructure is also suspiciously complicated to conceal its true purpose.
Figure 6 - Screenshot of traffic generated by CBeacon in a lab environment During
Black Lotus security researchers noticed persistent connections to routers and CC servers from 23 IP addresses, meaning the attackers were performing preliminary investigations to determine whether the target There is value in in-depth attacks.
Figure 7 - Go proxy network traffic screenshot
Fortunately, like most router malware, ZuoRAT does not persist across device reboots (it consists of files stored in a temporary directory). Additionally, the original ZuoRAT exploit can be removed simply by resetting the infected device.
CBeacon contains eight pre-built functions called
Even so, we still recommend that you check for firmware updates for long-term networked devices. Otherwise, once infected with other malware, it will still be difficult for terminal device users to completely eliminate it.
Figure 8 - C2.Heartbeat running on CBeacon / GoBeacon comparison
For more details about this malware campaign, please also visit Black Lotus Labs’ GitHub homepage.
